Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SAML2.0 Authentication with Node.js and SPA

Tags:

node.js

reactjs

saml-2.0

passport-saml

I've been scratching my head for about 2 days on how to solve what seemed to be a simple task, but it's starting to drive me crazy.

I have an application where users will use SAML 2.0 to authenticate. I have a react-application set up for the front-end, and was thinking I was gonna use JWT to secure the rest-api communication between front-end and backend.

When a user signs in, the flow is the following:

  1. User accesses www.server.com/ and gets served the static HTML with react-application
  2. User clicks 'Sign in' and accesses www.server.com/login
  3. passport-saml redirects user to saml identity provider. User logs in.
  4. User calls back to www.server.com/callback with a SamlResponse in the req.body which is decoded by passport-saml and put into req.user.
  5. If the user doesn't already exist, I create the user in the database.
  6. I create a JWT.

What should I do next? The problem is that the user is not in the react-application when calling back from the identity provider, so I've lost all state in the application, so whatever I reply with will get sent to the browser.

Is there any way I could force the browser to give me the SamlResponse which the identityprovider is calling back with? Then I could send it to the server as a http-request from the react-application.

like image 291
Stian Bakken Avatar asked Jun 16 '17 15:06

Stian Bakken

People also ask

How do I fix SAML 2.0 authentication failed?

Reconfigure IdP details in Service Provider and try again. Unable to process the Status Code received. There may be multiple reasons for this issue- Authentication failure in IdP or Time mismatch between IdP Server and SP Server. Mostly, Reconfigure the IdP and SP details in both IdP and SP should solve the issue.

How do I use SAML in node JS?

Select PASSWORD from the First Factor Type dropdown. Click on save button to configure Nodejs. Click on metadata and copy IDP Entity ID, SAML Login URL, SAML Logout URL, X509 Certificate. Add IDP and SP configurations in saml-config.

Is SAML 2.0 still used?

SAML 2.0 was introduced in 2005 and remains the current version of the standard. The previous version, 1.1, is now largely deprecated.

What is SAML 2.0 based authentication?

SAML 2.0 (Security Assertion Markup Language) is an open standard created to provide cross-domain single sign-on (SSO). In other words, it allows a user to authenticate in a system and gain access to another system by providing proof of their authentication.

1 Answers

After some thinking, I came up with the following solution which worked quite nicely for me.

SAML has something called RelayState which is a property that the Service Provider has to respond with. So now the process looks like this:

  1. User accesses http://frontendserver.com and gets server the static page with the React application (not signed in.).
  2. User clicks 'Login' and gets redirected to http://backendserver.com/login/?RelayState=http://frontendserver.com which authenticates via passport-saml and redirects user to SP. So I pass the origin of the request in RelayState.
  3. User calls back to http://backendserver.com/callback with the SamlResponse, which includes the RelayState.
  4. I create a token, and redirect the user to RelayState/#token.
  5. I can then parse the url in the React application, and add the token as a header for any further requests.

This might've seemed like the obvious way to do it, but it took me quite a while to figure out that this would work.

like image 144
Stian Bakken Avatar answered Sep 19 '22 17:09

Stian Bakken
Sign in to Comment

Related questions

WebSocket data consumption
What is the proper way of referencing css and js files with handlebars?
Error while running react application
Puppeteer | Wait for all JavaScript is executed
How do I install node module @babel/plugin-transform-class-properties?
Argument of type 'this' not assignable to parameter 'Construct'
Node.js - cannot find module
Testing Mongoose Node.JS app
How can I share mongoose models between 2 apps?
Javascript Convert String to Array of Objects
Connection to Mongodb-Native-Driver in express.js
Using node.js in a production environment
How do I build 32-bit binaries on a 64-bit system using npm?
Sails.js with React.js, how to do it correctly?
How to get filename and line number of where a function is called in Node?
npm install generates huge list of errors
How to merge multiple (npm) package.json files into one with Gulp?
Node using wrong version after Brew Install
Concatenate NPM Script Commands?
How to allow CORS with Node.js (without using Express)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!