WSFED/SAMLP 2.0 authentication Passport strategies for Windows Azure Active Directory

Windows Azure Active Directory Passport.js Plug-In

Passport is authentication middleware for Node.js. Passport can be used in any Express-based web application. A comprehensive and large set of strategies support authentication using a username and password, Facebook, Twitter, and more. In order to enable you to quickly integrate Windows Azure Active Directory in to your website quickly, we have developed a strategy for Windows Azure Active Directory.

The passport-azure-ad module is a WS-Federation / SAML-P authentication provider for Passport. This provider lets you integrate your Node app with Windows Azure AD so you can use its many features, including web single sign-on (WebSSO).

The code is based on Henri Bergius's passport-saml library and Matias Woloski's passport-wsfed-saml2 library.

passport-azure-ad has been tested to work with both Windows Azure Active Directory and with Microsoft Active Directory Federation Services.

For a detailed walkthrough of using Passport.js to add web single sign-on to a Node app, see: Windows Azure AD Walkthrough for Node.js.

$ npm install passport-azure-ad

This sample uses a WS-Federation protocol with express:

var express = require('express');
var passport = require('passport');
var wsfedsaml2 = require('passport-azure-ad').WsfedStrategy
var app = express();
// configure express 
app.use(express.session({ secret: 'keyboard cat' }));
var config = {
    realm: 'http://localhost:3000/',
    identityProviderUrl: '',
    identityMetadata: ''
var wsfedStrategy = new wsfedsaml2(config, function(profiledone) {
    if (! {
        done(new Error("No email found"));
    // validate the user here 
    done(null, profile);
// implement your user session strategy here 
passport.serializeUser(function(user,cb){ ... });
passport.deserializeUser(function(userid,cb){ ... });
// send the user to WAAD to authenticate     
app.get('/login', passport.authenticate('wsfed-saml2', { failureRedirect: '/', failureFlash: true }), function(reqres) {
// callback from WAAD with a token'/login/callback', passport.authenticate('wsfed-saml2', { failureRedirect: '/', failureFlash: true }), function(reqres) {
app.listen(process.env.PORT || 3000)

Copyright (c) Microsoft Open Technologies, Inc. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License");