Use crypto.randomBytes for ID generation (#235)

* Use crypto.randomBytes for ID generation

Math.random is not cryptographically secure, and IDs generated with it could potentially be predicted. Use crypto.randomBytes instead.

Author: autopulated

lib/passport-saml/saml.js

@@ -94,12 +94,7 @@ SAML.prototype.getCallbackUrl = function (req) {
 };
 
 SAML.prototype.generateUniqueID = function () {
-  var chars = "abcdef0123456789";
-  var uniqueID = "";
-  for (var i = 0; i < 20; i++) {
-    uniqueID += chars.substr(Math.floor((Math.random()*15)), 1);
-  }
-  return uniqueID;
+  return crypto.randomBytes(10).toString('hex');
 };
 
 SAML.prototype.generateInstant = function () {