passport-saml strategy implementaion in nodejs

node.js authentication passport.js passport-saml
Sunil Garg picture Sunil Garg · Dec 8, 2017 · Viewed 8.1k times · Source

I am using passport-saml for authentication. For this I have installed 

npm install passport passport-saml --save

And I have created my IDP using this blog Auth0.

Initialized passport and defined saml strategy

app.use(passport.initialize());

passport.use(new passportSaml.Strategy(
        {
            path: "/login/callback",
            entryPoint: "https://qpp1.auth0.com/samlp/bZVOM5KQmhyir5xEYhLHGRAQglks2AIp",
            issuer: "passport-saml",
            // Identity Provider's public key
            cert: fs.readFileSync("./src/cert/idp_cert.pem", "utf8"),
        },
        (profile, done) => {
            console.log("Profile : ",profile);
            let user = new Profile({ id: profile["nameID"], userName: profile["http://schemas.auth0.com/nickname"] });
            return done(null, user);
        }
    ));

And here are the routes

app.get("/login",
    passport.authenticate("saml", (err, profile) => {
        // control will not come here ????   
        console.log("Profile : ", profile);
    })
);
app.post("/login/callback",
         (req, res, next) => {
            passport.authenticate("saml", { session: false }, (err, user) => {
                req.user = user;
                next();
            })(req, res, next);
         },
         RouteHandler.sendResponse
);

Now this is working fine but I have some questions

1) What does issuer mean in saml strategy

2) Why I need to use passport.authenticate in two URL mappings. I don't understand why it is required in /login/callback request. And even control will not come to /login request's function that I have passed in passport.authenticate method?

What is the logic behind this? Is this useful in any scenario?

Answer

Steve Mohl picture Steve Mohl · Jun 29, 2018

We're just finishing up a multi-tenant passport-saml implementation. Through our research, test, and development cycle we have found the following:

  1. "issuer" seems to map to the EntityID in the SAML request/response assertions.
  2. The authenticate on the GET /login gives you SP-initiated flow capability. An AuthNRequest will be sent to the IdP. The user will authenticate (or is already authenticated) and then the IdP will make the callback to the assertion consumer service endpoint. In your case POST /login/callback authenticate. The POST /login/callback endpoint is the IdP-initiated SAML flow.

To learn how to integrate with our application, we started with just IdP-initiated flow with the ACS callback. Our very first customer which we integrated with was successful. However, the very first question they asked was, what URL should we use for SP-initiated flow? :-) I was able to get the SP-initiated flow working soon after.

I've tested this using both Salesforce developer and SSO Circle as test IdPs.

Hope this helps.

Related questions

Understanding passport serialize deserialize

How would you explain the workflow of Passport's serialize and deserialize methods to a layman. Where does user.id go after passport.serializeUser has been called? We are calling passport.deserializeUser right after it where does it fit in the …

Read More
What does passport.session() middleware do?

I am building an authentication system using Passport.js using Easy Node Authentication: Setup and Local tutorial. I am confused about what passport.session() does. After playing around with the different middleware I came to understand that express.session() is …

Read More
Redirecting to previous page after authentication in node.js using passport.js

I'm trying to establish a login mechanism using node.js, express and passport.js. The Login itself works quite nice, also sessions are stored nicely with redis but I do have some troubles with redirecting the user to where he …

Read More