Login/Register
passport-saml and SAML encryption
Asked Answered
Solved node.jsencryptionpassport.jssaml-2.0shibboleth
V

1

9

I'm new to passport and passport-saml, and I'm trying to build a Node.js server that uses our University's Shibboleth identity provider for single sign-on. I'm pretty close to getting it all working, but I'm hitting a snag during the /login/callback that I think is related to the encryption configuration.

I am able to redirect the client to the sign-in page, and after a successful sign-in, the IdP does a POST back to my /login/callback route. Then I get this error:

Error: Invalid signature at SAML.validatePostResponse (.../node_modules/passport-saml/lib/passport-saml/saml.js:357:21) at Strategy.authenticate (.../node_modules/passport-saml/lib/passport-saml/strategy.js:68:18) at ...etc...

This sounds like maybe the certificate I'm passing to the cert config setting isn't correct? I'm assuming that the decryptionPvk and cert config settings supposed to be the private key I used to create my server's cert, and the Identity Provider's HTTPS certificate, respectively? Or should they be something else?

I'm using up-to-date versions of node and all the various modules (express, passport, passport-saml, etc.)

And for reference, here's the server script I'm using to test all of this:

"use strict;"

var https = require('https');
var fs = require('fs');
var express = require("express");
var morgan = require('morgan');
var bodyParser = require('body-parser');
var cookieParser = require('cookie-parser');
var session = require('express-session');
var passport = require('passport');
var saml = require('passport-saml');

var cert = fs.readFileSync('./certs/my-server-https-cert.crt', 'utf-8');
var pvk = fs.readFileSync('./certs/my-server-private.key', 'utf-8');
var uwIdpCert = fs.readFileSync('./certs/our-idp-server-https-cert.pem', 'utf-8');

passport.serializeUser(function(user, done){
    done(null, user);
});

passport.deserializeUser(function(user, done){
    done(null, user);
});

var samlStrategy = new saml.Strategy({
    callbackUrl: 'https://my-domain-name.whatever.edu/login/callback',
    entryPoint: 'https://my-university/idp/entry/point',
    issuer: 'my-entity-id (domain name registered with university IdP)',
    decryptionPvk: pvk,
    cert: uwIdpCert
}, function(profile, done){
    console.log('Profile: %j', profile);
    return done(null, profile); 
});

passport.use(samlStrategy);

var app = express();
app.use(morgan('dev'));
app.use(bodyParser.urlencoded({extended: true}));
app.use(cookieParser());
app.use(session({secret: fs.readFileSync('./certs/session-secret.txt', 'utf-8')}));
app.use(passport.initialize());
app.use(passport.session());

app.get('/', 
    passport.authenticate('saml', {failureRedirect: '/login/fail'}), 
    function(req, res) {
        res.send('Hello World!');
    }
);

app.post('/login/callback',
  passport.authenticate('saml', { failureRedirect: '/login/fail', failureFlash: true }),
  function(req, res) {
    res.redirect('/');
  }
);

app.get('/login/fail', 
    function(req, res) {
        res.send(401, 'Login failed');
    }
);

app.get('/Shibboleth.sso/Metadata', 
    function(req, res) {
        res.type('application/xml');
        res.send(200, samlStrategy.generateServiceProviderMetadata(cert));
    }
);

//general error handler
app.use(function(err, req, res, next){
    console.log('Express error!');
    console.error(err.stack);
    next(err);
});


var server = https.createServer({
    key: pvk,
    cert: cert
}, app);

server.listen(process.argv[2] || 44300, function(){
    console.log('Listening on port %d', server.address().port)
});

Any help or advice would be most appreciated!

View answered 25/6, 2014 at 22:45 Comment(1)
do you not see the solution in the answer and comments below?View
O
5

Yes, the cert is the certificate of the identity provider -- not necessarily its HTTPS certificate though.

Your shibboleth identity provider should have a provider metadata document. If you haven't already, you probably want to make sure the contents of uwIdpCert matches the <ds:X509Certificate> block in that document. (here is an example of what that metadata document should look like)

If you're pretty sure that the certificates are correct, I'd be curious to see the contents of the xml variable in SAML.prototype.validatePostResponse. (i.e., just throw in a console.log statement and see what it looks like). There have been some changes to the signature validation logic in passport-saml recently and it's possible your provider is doing something unexpected.

Overwhelming answered 26/6, 2014 at 23:58 Comment(4)
I debugged into it and the XML was an error message saying "Required NameID format not supported." The default for NameIDFormat seems to be urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, which I'm guessing our IdP doesn't support. I have an email to our IT folks to ask which value I should use. Also looks like I can set it to null to omit it entirely. Any advice from your end? And thanks for your help!View
BTW, I do return a Metadata document--see the route for /Shibboleth.sso/Metadata above. But I thought I was supposed to use my cert when I call samlStrategy.generateServiceProviderMetadata(cert). Are you saying I should use the IdP's cert instead?View
If you find the metadata document, it should have <NameIdFormat> tags that tell you waht is accepted. (for instance, urn:oasis:names:tc:SAML:2.0:nameid-format:transient or urn:mace:shibboleth:1.0:nameIdentifier in that TestShib example that I linked to)Overwhelming
And to answer your second comment -- both you (the Service Provider) and the Identity Provider have metadata documents. Your comments are about your SP metadata, and you do use your own cert in that context. In my answer I was refering to the IdP's metadata doc.Overwhelming

© 2022 - 2024 — McMap. All rights reserved.