Passport-SAML
This is a SAML 2.0 authentication provider for Passport, the Node.js authentication library.
The code was originally based on Michael Bosworth's express-saml library.
Passport-SAML has been tested to work with both SimpleSAMLphp based Identity Providers, and with Active Directory Federation Services.
Installation
$ npm install passport-saml
Usage
Configure strategy
This example utilizes the Feide OpenIdp identity provider. You need an account there to log in with this. You also need to register your site as a service provider.
The SAML identity provider will redirect you to the URL provided by the path configuration.
passport);Provide the authentication callback
You need to provide a route corresponding to the path configuration parameter given to the strategy:
app;Authenticate requests
Use passport.authenticate(), specifying saml as the strategy:
app;Security and signatures
Passport-SAML uses the HTTP Redirect Binding for its AuthnRequests, and expects to receive the messages back via the HTTP POST binding.
Authentication requests sent by Passport-SAML can be signed using RSA-SHA1. To sign them you need to provide a private key in the PEM format via the privateCert configuration key. For example:
privateCert: fsIt is a good idea to validate the incoming SAML Responses. For this, you can provide the Identity Provider's certificate using the cert confguration key:
cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='Usage with Active Directory Federation Services
Here is a configuration that has been proven to work with ADFS:
entryPoint: 'https://ad.example.net/adfs/ls/' issuer: 'https://your-app.example.net/login/callback' callbackUrl: 'https://your-app.example.net/login/callback' cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==' identifierFormat: null Please note that ADFS needs to have a trust established to your service in order for this to work.