-
-
Save fuxingloh/4d6e1caa24237c5870809fe24c47726f to your computer and use it in GitHub Desktop.
const express = require('express') | |
const SamlStrategy = require('passport-saml').Strategy | |
const passport = require('passport') | |
const cookieSession = require('cookie-session') | |
const cookieParser = require('cookie-parser') | |
// Create express instance | |
const app = express() | |
// Configure your cookie session or alternatives | |
app.use(cookieParser()) | |
app.use(cookieSession({ | |
name: 'session', | |
keys: ['super secret'], | |
maxAge: 2 * 24 * 60 * 60 * 1000 // 2 days | |
})) | |
app.use(passport.initialize()) | |
app.use(passport.session()) | |
passport.use(new SamlStrategy({ | |
protocol: 'https://', | |
entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=', // SSO URL (Step 2) | |
issuer: 'https://.../sp', // Entity ID (Step 4) | |
path: '/auth/saml/callback', // ACS URL path (Step 4) | |
cert: "MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==", // Certificate without begin and end | |
}, function (profile, done) { | |
// Parse user profile data | |
done(null, { | |
email: profile.email, | |
name: profile.name | |
}) | |
}) | |
) | |
passport.serializeUser(function (user, done) { | |
done(null, user) | |
}) | |
passport.deserializeUser(function (user, done) { | |
done(null, user) | |
}) | |
app.get('/login', passport.authenticate('saml', { | |
successRedirect: '/', | |
failureRedirect: '/login' | |
})) | |
app.get('/logout', function (req, res) { | |
req.logout() | |
res.end('You have logged out.') | |
}) | |
app.post('/auth/saml/callback', passport.authenticate('saml', { | |
failureRedirect: '/error', | |
failureFlash: true | |
}), function (req, res) { | |
res.redirect('/') | |
}) | |
// Securing every path in production. | |
app.all('*', function (req, res, next) { | |
if (req.isAuthenticated() || process.env.NODE_ENV !== 'production') { | |
next() | |
} else { | |
res.redirect('/login') | |
} | |
}) |
# https://github.com/bergie/passport-saml | |
yarn add passport passport-saml |
Hi @gabrielmoncea
passport.use(new SamlStrategy({
protocol: 'https://',
entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=`Here put the id`', // SSO URL (Step 2)
issuer: 'ID d'entité', // Entity ID (Step 4)
callbackUrl: 'URL ACS',
identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
....
According to your configuration, your URL ACS should be https://yourdomain.com/auth/saml/callback
and your issuer (Entity ID) should be something like https://yourdomain.com/sso/id
Does it helps ?
Yes thank you! I managed to make it work, after I realised that the issuer is just a string. I thought it should be a route and that route should do something.
Also, according to the documentation you should have a middleware on the callback route
bodyParser.urlencoded({extended: false})
. I think it was redirecting me because I didn't have it.
on logout, do we need to clear cookie session explicitly?
at the time of writing this comment this gist provided following example configuration:
...
passport.use(new SamlStrategy({
protocol: 'https://',
entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=', // SSO URL (Step 2)
issuer: 'https://.../sp', // Entity ID (Step 4)
path: '/auth/saml/callback' // ACS URL path (Step 4)
}, function (profile, done) {
...
That configuration example does not provide cert
option. Lack of cert
means that if you are/were using passport-saml
version < 3.0.0
verification of authn response digital signature is/was silenty skipped. I.e. attacker can impersonate anyone he/she chooses just by posting whatever authn response he/she wants to callback and passport-saml
would consume it as if it would be perfectly valid response from IdP. This is remotely exploitable situation.
For additional information see:
@fuxingloh @gabrielmoncea @Hugofromfrance
Hi,
I have changed all the required details and trying to login but the page redirect me to google login page again and again. In another browser its forwarding the request and loading infinitely. Please help me to solve the issue.
I think I figured it out. I got the SSO from Step 2, and defined an
issuer
andpath
for theSamlStrategy
.When I test the login route it enters a redirect loop and I don't know what causes it.
Basically the URL is as follows
https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX&SAMLRequest=<message>
where themessage
changes continuously.I'm not sure if I set the
issuer
correctly, or it's something else.