SAML 2.0 authentication strategy for Passport
The code was originally based on Michael Bosworth's express-saml library.
$ npm install passport-saml
The SAML identity provider will redirect you to the URL provided by the
passportusepath: '/login/callback'entryPoint: ''issuer: 'passport-saml'findByEmailprofileemailif errreturn doneerr;return donenull user;;;
You need to provide a route corresponding to the
path configuration parameter given to the strategy:
apppost'/login/callback'passportauthenticate'saml' failureRedirect: '/' failureFlash: trueresredirect'/';;
saml as the strategy:
appget'/login'passportauthenticate'saml' failureRedirect: '/' failureFlash: trueresredirect'/';;
Passport-SAML uses the HTTP Redirect Binding for its
AuthnRequests, and expects to receive the messages back via the HTTP POST binding.
Authentication requests sent by Passport-SAML can be signed using RSA-SHA1. To sign them you need to provide a private key in the PEM format via the
privateCert configuration key. For example:
privateCert: fsreadFileSync'./cert.pem' 'utf-8'
It is a good idea to validate the incoming SAML Responses. For this, you can provide the Identity Provider's certificate using the
cert confguration key:
cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='
Here is a configuration that has been proven to work with ADFS:
entryPoint: ''issuer: ''callbackUrl: ''cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W=='identifierFormat: null
Please note that ADFS needs to have a trust established to your service in order for this to work.