Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

passport-saml strategy implementaion in nodejs

I am using passport-saml for authentication. For this I have installed

npm install passport passport-saml --save

And I have created my IDP using this blog Auth0.

Initialized passport and defined saml strategy

app.use(passport.initialize());

passport.use(new passportSaml.Strategy(
        {
            path: "/login/callback",
            entryPoint: "https://qpp1.auth0.com/samlp/bZVOM5KQmhyir5xEYhLHGRAQglks2AIp",
            issuer: "passport-saml",
            // Identity Provider's public key
            cert: fs.readFileSync("./src/cert/idp_cert.pem", "utf8"),
        },
        (profile, done) => {
            console.log("Profile : ",profile);
            let user = new Profile({ id: profile["nameID"], userName: profile["http://schemas.auth0.com/nickname"] });
            return done(null, user);
        }
    ));

And here are the routes

app.get("/login",
    passport.authenticate("saml", (err, profile) => {
        // control will not come here ????   
        console.log("Profile : ", profile);
    })
);
app.post("/login/callback",
         (req, res, next) => {
            passport.authenticate("saml", { session: false }, (err, user) => {
                req.user = user;
                next();
            })(req, res, next);
         },
         RouteHandler.sendResponse
);

Now this is working fine but I have some questions

1) What does issuer mean in saml strategy

2) Why I need to use passport.authenticate in two URL mappings. I don't understand why it is required in /login/callback request. And even control will not come to /login request's function that I have passed in passport.authenticate method?

What is the logic behind this? Is this useful in any scenario?

like image 960
Sunil Garg Avatar asked Dec 08 '17 09:12

Sunil Garg


People also ask

How does Passport-SAML work?

Passport-SAML uses the HTTP Redirect Binding for its AuthnRequest s (unless overridden with the authnRequestBinding parameter), and expects to receive the messages back via the HTTP POST binding.

How does Nodejs passport work?

Passport is a popular, modular authentication middleware for Node. js applications. With it, authentication can be easily integrated into any Node- and Express-based app. The Passport library provides more than 500 authentication mechanisms, including OAuth, JWT, and simple username and password based authentication.


1 Answers

We're just finishing up a multi-tenant passport-saml implementation. Through our research, test, and development cycle we have found the following:

  1. "issuer" seems to map to the EntityID in the SAML request/response assertions.
  2. The authenticate on the GET /login gives you SP-initiated flow capability. An AuthNRequest will be sent to the IdP. The user will authenticate (or is already authenticated) and then the IdP will make the callback to the assertion consumer service endpoint. In your case POST /login/callback authenticate. The POST /login/callback endpoint is the IdP-initiated SAML flow.

To learn how to integrate with our application, we started with just IdP-initiated flow with the ACS callback. Our very first customer which we integrated with was successful. However, the very first question they asked was, what URL should we use for SP-initiated flow? :-) I was able to get the SP-initiated flow working soon after.

I've tested this using both Salesforce developer and SSO Circle as test IdPs.

Hope this helps.

like image 105
Steve Mohl Avatar answered Sep 29 '22 09:09

Steve Mohl