Build Status Known Vulnerabilities Greenkeeper badge

passport-verify is a Node.js and Passport.js client for the Verify Service Provider (VSP).

Before you start

Set up the VSP.


Step 1. Install passport-verify

npm install --save passport-verify

Step 2. Configure the passport-verify strategy

Use the createIdentityStrategy method to create a strategy when configuring passport.js. For more information about the method, see the API documentation for createIdentityStrategy.

The code block shows an example of how to configure the passport-verify strategy.

const passportVerify = require('passport-verify')
const bodyParser = require('body-parser')

// Real applications should have a real backend for storing users.
const fakeUserDatabase = {}

// Passport-Verify dependes on any bodyParser
// to be configured as a middleware.
app.use(bodyParser.urlencoded({extended: false}))


 // verifyServiceProviderHost

 // A callback for an identity authentication.
 // This function is called at the end of the authentication flow
 // with a user object that contains details of the user in attributes.
 // it should either return a user object or false if the user is not
 // accepted by the application for whatever reason. It can also return a
 // Promise in case it is asynchronous.
 function handleIdentity (identity) {

   // This should be an error case if the local matching strategy is
   // done correctly.
   if (fakeUserDatabase[]) {
     throw new Error(
       'Local matching strategy has defined ' +
       'the user to be new to the application, ' +
       'but the User PID already exists.')

   fakeUserDatabase[] = Object.assign({id:}, identity.attributes)
   return Object.assign({ levelOfAssurance: identity.levelOfAssurance }, fakeUserDatabase[])

// A callback that saves the unique request ID associated with the SAML messages
// to the user's session.
// This function is called after the Verify Service Provider has generated and
// returned the AuthnRequest and associated RequestID.
// The requestID should be saved in a secure manner, and such that it
// corresponds to the user's current session and can be retrieved in order to validate
// that SAML response that is returned from the IDP corresponds to the original AuthnRequest.
function saveRequestId (requestId, request) {

  // The following is an example that saves the requestId using the express-session middleware
  // This would require express-session to be initialised with a secure secret e.g:

  // const session = require('express-session')
  // app.use(session({
  //  secret: 'super secret secure token',
  //  resave: true,
  //  saveUninitialized: true
  // }))

  request.session.requestId = requestId

// A callback that returns the requestId that corresponds to the user's session.
// This is used by the Verify Service Provider to ensure SAMLResponses received from IDPS
// correspond to a the user's active session.
function loadRequestId (request) {

  // The following is an example that retrieves the request ID from the aforementioned
  // express-session object.
  return request.session.requestId
// Service Entity Id
// This is only required when your Verify Service Provider is set up to be multi tenanted.
// If it is provided, it is passed to the Verify Service Provider with each request, and
// used to identify this service.

// Saml Form Template Location
// This is an optional parameter which can be used to style the saml form
// used to send the authn request to Verify.
// This template should only be rendered if Javascript has been disabled in the user's browser.
// If provided, the ssoLocation and samlRequest recieved from the Verify Service Provider
// will be provided to the named template for rendering.
// If this is not provided, passport-verify will render a default auto posting form
// with the correct attributes.

// Level of Assurance
// LEVEL_1 or LEVEL2 depending on your service's requirements. Defaults to LEVEL_2.

If your service uses Matching Service Adapter, you should use the createStrategy method to create a strategy when configuring passport.js. See the API documentation for the createStrategy method for more details.

Step 3. Configure routes for the authentication flow

Use the createIdentityResponseHandler method to configure the routes for the authentication flow.

See the API documentation for more details about the createIdentityResponseHandler method and its callbacks.

The exact routes depend on how you plan on using the responses from GOV.UK Verify Hub. The example in the code block configures a route to allow a verified user to access the service:

// route for authenticating a user'/verify/start', passport.authenticate('verify'))

// route for handling a callback from verify'/verify/response', (req, res, next) => (

   // in this example, authenticate() is being called from within the route handler
   // rather than being used as middleware, this provides access to the request
   // and response objects through closure
   const authMiddleware = passport.authenticate('verify', function (error, identity, infoOrError, status) {

    if (error) {
      return res.send(`TODO: render error-page with message ${error: error.message}`)

    if (identity) {
      // passport-verify requires the use of a custom callback to handle successful
      // authentication
      return req.logIn(identity, () => res.send('TODO: redirect to service landing page')))

    return res.send(`TODO: redirect to authentication failed page with ${error: infoOrError}`)

  authMiddleware(req, res, next)

If your service uses a Matching Service Adapter, you should use the createResponseHandler method to configure routes for the authentication flow. See the API documentation for more details about the createResponseHandler method and its callbacks.

For a more detailed example with session support, see the example implementation.


passport-verify uses the debug package for logging, using passport-verify:log for infomation and passport-verify:requests to log api requests sent.

The package enables logging based on the environment variable DEBUG. To enable logs, set this variable;

  • For just information level logging, use passport-verify:log
  • For request logging, use passport-verify:requests
  • For both, use passport-verify:*

If you are using this package for your application, note that the DEBUG variable will be read as a comma seperated list, so you can add or remove passport-verify logs as necessary without changing your own.


See the API documentation for more details.


  • Identity Provider is a service that can authenticate users
  • Relying party is a service that needs to authenticate users
  • Verify Service Provider is a service that consumes and produces SAML messages that can be used to communicate with GOV.UK Verify
  • Passport.js is a Node.js library that provides a generic authentication framework for various authentication providers.

Contribute to passport-verify

If you want to make changes to passport-verify itself, fork the repository then:

Install the dependencies

npm install

Compile and test the code

npm test

Install dependencies, compile and test the code - run this before commiting

npm run pre-commit

Responsible Disclosure

If you think you have discovered a security issue in this code please email with details.

For non-security related bugs and feature requests please raise an issue in the github issue tracker.