-
-
Save fuxingloh/4d6e1caa24237c5870809fe24c47726f to your computer and use it in GitHub Desktop.
| const express = require('express') | |
| const SamlStrategy = require('passport-saml').Strategy | |
| const passport = require('passport') | |
| const cookieSession = require('cookie-session') | |
| const cookieParser = require('cookie-parser') | |
| // Create express instance | |
| const app = express() | |
| // Configure your cookie session or alternatives | |
| app.use(cookieParser()) | |
| app.use(cookieSession({ | |
| name: 'session', | |
| keys: ['super secret'], | |
| maxAge: 2 * 24 * 60 * 60 * 1000 // 2 days | |
| })) | |
| app.use(passport.initialize()) | |
| app.use(passport.session()) | |
| passport.use(new SamlStrategy({ | |
| protocol: 'https://', | |
| entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=', // SSO URL (Step 2) | |
| issuer: 'https://.../sp', // Entity ID (Step 4) | |
| path: '/auth/saml/callback', // ACS URL path (Step 4) | |
| cert: "MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==", // Certificate without begin and end | |
| }, function (profile, done) { | |
| // Parse user profile data | |
| done(null, { | |
| email: profile.email, | |
| name: profile.name | |
| }) | |
| }) | |
| ) | |
| passport.serializeUser(function (user, done) { | |
| done(null, user) | |
| }) | |
| passport.deserializeUser(function (user, done) { | |
| done(null, user) | |
| }) | |
| app.get('/login', passport.authenticate('saml', { | |
| successRedirect: '/', | |
| failureRedirect: '/login' | |
| })) | |
| app.get('/logout', function (req, res) { | |
| req.logout() | |
| res.end('You have logged out.') | |
| }) | |
| app.post('/auth/saml/callback', passport.authenticate('saml', { | |
| failureRedirect: '/error', | |
| failureFlash: true | |
| }), function (req, res) { | |
| res.redirect('/') | |
| }) | |
| // Securing every path in production. | |
| app.all('*', function (req, res, next) { | |
| if (req.isAuthenticated() || process.env.NODE_ENV !== 'production') { | |
| next() | |
| } else { | |
| res.redirect('/login') | |
| } | |
| }) |
| # https://github.com/bergie/passport-saml | |
| yarn add passport passport-saml |
Yes thank you! I managed to make it work, after I realised that the issuer is just a string. I thought it should be a route and that route should do something.
Also, according to the documentation you should have a middleware on the callback route
bodyParser.urlencoded({extended: false}). I think it was redirecting me because I didn't have it.
on logout, do we need to clear cookie session explicitly?
at the time of writing this comment this gist provided following example configuration:
...
passport.use(new SamlStrategy({
protocol: 'https://',
entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=', // SSO URL (Step 2)
issuer: 'https://.../sp', // Entity ID (Step 4)
path: '/auth/saml/callback' // ACS URL path (Step 4)
}, function (profile, done) {
...That configuration example does not provide cert option. Lack of cert means that if you are/were using passport-saml version < 3.0.0 verification of authn response digital signature is/was silenty skipped. I.e. attacker can impersonate anyone he/she chooses just by posting whatever authn response he/she wants to callback and passport-saml would consume it as if it would be perfectly valid response from IdP. This is remotely exploitable situation.
For additional information see:
@fuxingloh @gabrielmoncea @Hugofromfrance
Hi,
I have changed all the required details and trying to login but the page redirect me to google login page again and again. In another browser its forwarding the request and loading infinitely. Please help me to solve the issue.
Hi @gabrielmoncea
Google docs SAML
According to your configuration, your URL ACS should be
https://yourdomain.com/auth/saml/callbackand your issuer (Entity ID) should be something likehttps://yourdomain.com/sso/idDoes it helps ?