Login/Register
passport-saml strategy implementaion in nodejs
Asked Answered
node.jsauthenticationpassport.jspassport-saml
M

1

6

I am using passport-saml for authentication. For this I have installed 

npm install passport passport-saml --save

And I have created my IDP using this blog Auth0.

Initialized passport and defined saml strategy

app.use(passport.initialize());

passport.use(new passportSaml.Strategy(
        {
            path: "/login/callback",
            entryPoint: "https://qpp1.auth0.com/samlp/bZVOM5KQmhyir5xEYhLHGRAQglks2AIp",
            issuer: "passport-saml",
            // Identity Provider's public key
            cert: fs.readFileSync("./src/cert/idp_cert.pem", "utf8"),
        },
        (profile, done) => {
            console.log("Profile : ",profile);
            let user = new Profile({ id: profile["nameID"], userName: profile["http://schemas.auth0.com/nickname"] });
            return done(null, user);
        }
    ));

And here are the routes

app.get("/login",
    passport.authenticate("saml", (err, profile) => {
        // control will not come here ????   
        console.log("Profile : ", profile);
    })
);
app.post("/login/callback",
         (req, res, next) => {
            passport.authenticate("saml", { session: false }, (err, user) => {
                req.user = user;
                next();
            })(req, res, next);
         },
         RouteHandler.sendResponse
);

Now this is working fine but I have some questions

1) What does issuer mean in saml strategy

2) Why I need to use passport.authenticate in two URL mappings. I don't understand why it is required in /login/callback request. And even control will not come to /login request's function that I have passed in passport.authenticate method?

What is the logic behind this? Is this useful in any scenario?

Masterwork answered 8/12, 2017 at 9:42 Comment(0)
F
8

We're just finishing up a multi-tenant passport-saml implementation. Through our research, test, and development cycle we have found the following:

  1. "issuer" seems to map to the EntityID in the SAML request/response assertions.
  2. The authenticate on the GET /login gives you SP-initiated flow capability. An AuthNRequest will be sent to the IdP. The user will authenticate (or is already authenticated) and then the IdP will make the callback to the assertion consumer service endpoint. In your case POST /login/callback authenticate. The POST /login/callback endpoint is the IdP-initiated SAML flow.

To learn how to integrate with our application, we started with just IdP-initiated flow with the ACS callback. Our very first customer which we integrated with was successful. However, the very first question they asked was, what URL should we use for SP-initiated flow? :-) I was able to get the SP-initiated flow working soon after.

I've tested this using both Salesforce developer and SSO Circle as test IdPs.

Hope this helps.

Farrel answered 29/6, 2018 at 19:34 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.