I am using passport-saml
for authentication. For this I have installed
npm install passport passport-saml --save
And I have created my IDP using this blog Auth0.
Initialized passport and defined saml strategy
app.use(passport.initialize());
passport.use(new passportSaml.Strategy(
{
path: "/login/callback",
entryPoint: "https://qpp1.auth0.com/samlp/bZVOM5KQmhyir5xEYhLHGRAQglks2AIp",
issuer: "passport-saml",
// Identity Provider's public key
cert: fs.readFileSync("./src/cert/idp_cert.pem", "utf8"),
},
(profile, done) => {
console.log("Profile : ",profile);
let user = new Profile({ id: profile["nameID"], userName: profile["http://schemas.auth0.com/nickname"] });
return done(null, user);
}
));
And here are the routes
app.get("/login",
passport.authenticate("saml", (err, profile) => {
// control will not come here ????
console.log("Profile : ", profile);
})
);
app.post("/login/callback",
(req, res, next) => {
passport.authenticate("saml", { session: false }, (err, user) => {
req.user = user;
next();
})(req, res, next);
},
RouteHandler.sendResponse
);
Now this is working fine but I have some questions
1) What does issuer
mean in saml strategy
2) Why I need to use passport.authenticate
in two URL mappings. I don't understand why it is required in /login/callback
request. And even control will not come to /login
request's function that I have passed in passport.authenticate
method?
What is the logic behind this? Is this useful in any scenario?
Passport-SAML uses the HTTP Redirect Binding for its AuthnRequest s (unless overridden with the authnRequestBinding parameter), and expects to receive the messages back via the HTTP POST binding.
Passport is a popular, modular authentication middleware for Node. js applications. With it, authentication can be easily integrated into any Node- and Express-based app. The Passport library provides more than 500 authentication mechanisms, including OAuth, JWT, and simple username and password based authentication.
We're just finishing up a multi-tenant passport-saml implementation. Through our research, test, and development cycle we have found the following:
To learn how to integrate with our application, we started with just IdP-initiated flow with the ACS callback. Our very first customer which we integrated with was successful. However, the very first question they asked was, what URL should we use for SP-initiated flow? :-) I was able to get the SP-initiated flow working soon after.
I've tested this using both Salesforce developer and SSO Circle as test IdPs.
Hope this helps.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With