Passport-SAML
This is a SAML 2.0 authentication provider for Passport, the Node.js authentication library.
The code was originally based on Michael Bosworth's express-saml library.
Passport-SAML has been tested to work with both SimpleSAMLphp based Identity Providers, and with Active Directory Federation Services.
Installation
$ npm install passport-saml
Usage
Configure strategy
This example utilizes the Feide OpenIdp identity provider. You need an account there to log in with this. You also need to register your site as a service provider.
The SAML identity provider will redirect you to the URL provided by the path
configuration.
passport.use(new SamlStrategy(
{
path: '/login/callback',
entryPoint: 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php',
issuer: 'passport-saml'
},
function(profile, done) {
findByEmail(profile.email, function(err, user) {
if (err) {
return done(err);
}
return done(null, user);
});
})
));
Provide the authentication callback
You need to provide a route corresponding to the path
configuration parameter given to the strategy:
app.post('/login/callback',
passport.authenticate('saml', { failureRedirect: '/', failureFlash: true }),
function(req, res) {
res.redirect('/');
}
);
Authenticate requests
Use passport.authenticate()
, specifying saml
as the strategy:
app.get('/login',
passport.authenticate('saml', { failureRedirect: '/', failureFlash: true }),
function(req, res) {
res.redirect('/');
}
);
Security and signatures
Passport-SAML uses the HTTP Redirect Binding for its AuthnRequest
s, and expects to receive the messages back via the HTTP POST binding.
Authentication requests sent by Passport-SAML can be signed using RSA-SHA1. To sign them you need to provide a private key in the PEM format via the privateCert
configuration key. For example:
privateCert: fs.readFileSync('./cert.pem', 'utf-8')
It is a good idea to validate the incoming SAML Responses. For this, you can provide the Identity Provider's certificate using the cert
confguration key:
cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='
Usage with Active Directory Federation Services
Here is a configuration that has been proven to work with ADFS:
{
entryPoint: 'https://ad.example.net/adfs/ls/',
issuer: 'https://your-app.example.net/login/callback',
callbackUrl: 'https://your-app.example.net/login/callback',
cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==',
identifierFormat: null
}
Please note that ADFS needs to have a trust established to your service in order for this to work.