Skip to content

Instantly share code, notes, and snippets.

@fuxingloh
Last active July 31, 2024 14:31
Show Gist options
  • Save fuxingloh/4d6e1caa24237c5870809fe24c47726f to your computer and use it in GitHub Desktop.
Save fuxingloh/4d6e1caa24237c5870809fe24c47726f to your computer and use it in GitHub Desktop.
How to use express.js and passport.js with G Suite SAML Apps SSO
const express = require('express')
const SamlStrategy = require('passport-saml').Strategy
const passport = require('passport')
const cookieSession = require('cookie-session')
const cookieParser = require('cookie-parser')
// Create express instance
const app = express()
// Configure your cookie session or alternatives
app.use(cookieParser())
app.use(cookieSession({
name: 'session',
keys: ['super secret'],
maxAge: 2 * 24 * 60 * 60 * 1000 // 2 days
}))
app.use(passport.initialize())
app.use(passport.session())
passport.use(new SamlStrategy({
protocol: 'https://',
entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=', // SSO URL (Step 2)
issuer: 'https://.../sp', // Entity ID (Step 4)
path: '/auth/saml/callback', // ACS URL path (Step 4)
cert: "MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==", // Certificate without begin and end
}, function (profile, done) {
// Parse user profile data
done(null, {
email: profile.email,
name: profile.name
})
})
)
passport.serializeUser(function (user, done) {
done(null, user)
})
passport.deserializeUser(function (user, done) {
done(null, user)
})
app.get('/login', passport.authenticate('saml', {
successRedirect: '/',
failureRedirect: '/login'
}))
app.get('/logout', function (req, res) {
req.logout()
res.end('You have logged out.')
})
app.post('/auth/saml/callback', passport.authenticate('saml', {
failureRedirect: '/error',
failureFlash: true
}), function (req, res) {
res.redirect('/')
})
// Securing every path in production.
app.all('*', function (req, res, next) {
if (req.isAuthenticated() || process.env.NODE_ENV !== 'production') {
next()
} else {
res.redirect('/login')
}
})
# https://github.com/bergie/passport-saml
yarn add passport passport-saml
@gabimoncha
Copy link

I think I figured it out. I got the SSO from Step 2, and defined an issuer and path for the SamlStrategy.
When I test the login route it enters a redirect loop and I don't know what causes it.
Basically the URL is as follows https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX&SAMLRequest=<message> where the message changes continuously.
I'm not sure if I set the issuer correctly, or it's something else.

@Hugofromfrance
Copy link

Hugofromfrance commented Jun 27, 2019

Hi @gabrielmoncea

Google docs SAML

Capture d’écran 2019-06-27 à 14 58 12

passport.use(new SamlStrategy({
    protocol: 'https://',
    entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=`Here put the id`', // SSO URL (Step 2)
    issuer: 'ID d'entité', // Entity ID (Step 4)
    callbackUrl: 'URL ACS',
    identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',

....

According to your configuration, your URL ACS should be https://yourdomain.com/auth/saml/callback and your issuer (Entity ID) should be something like https://yourdomain.com/sso/id

Does it helps ?

@gabimoncha
Copy link

Yes thank you! I managed to make it work, after I realised that the issuer is just a string. I thought it should be a route and that route should do something.
Also, according to the documentation you should have a middleware on the callback route
bodyParser.urlencoded({extended: false}). I think it was redirecting me because I didn't have it.

@kalyanchakravarthys
Copy link

on logout, do we need to clear cookie session explicitly?

@srd90
Copy link

srd90 commented Apr 30, 2022

at the time of writing this comment this gist provided following example configuration:

...
passport.use(new SamlStrategy({
    protocol: 'https://',
    entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=', // SSO URL (Step 2)
    issuer: 'https://.../sp', // Entity ID (Step 4)
    path: '/auth/saml/callback' // ACS URL path (Step 4)

  }, function (profile, done) {
...

That configuration example does not provide cert option. Lack of cert means that if you are/were using passport-saml version < 3.0.0 verification of authn response digital signature is/was silenty skipped. I.e. attacker can impersonate anyone he/she chooses just by posting whatever authn response he/she wants to callback and passport-saml would consume it as if it would be perfectly valid response from IdP. This is remotely exploitable situation.

For additional information see:

  1. node-saml/passport-saml#523
  2. node-saml/passport-saml#180
  3. node-saml/passport-saml#199

@fuxingloh @gabrielmoncea @Hugofromfrance

@manishamittal16
Copy link

Hi,
I have changed all the required details and trying to login but the page redirect me to google login page again and again. In another browser its forwarding the request and loading infinitely. Please help me to solve the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment