-
-
Save fuxingloh/4d6e1caa24237c5870809fe24c47726f to your computer and use it in GitHub Desktop.
| const express = require('express') | |
| const SamlStrategy = require('passport-saml').Strategy | |
| const passport = require('passport') | |
| const cookieSession = require('cookie-session') | |
| const cookieParser = require('cookie-parser') | |
| // Create express instance | |
| const app = express() | |
| // Configure your cookie session or alternatives | |
| app.use(cookieParser()) | |
| app.use(cookieSession({ | |
| name: 'session', | |
| keys: ['super secret'], | |
| maxAge: 2 * 24 * 60 * 60 * 1000 // 2 days | |
| })) | |
| app.use(passport.initialize()) | |
| app.use(passport.session()) | |
| passport.use(new SamlStrategy({ | |
| protocol: 'https://', | |
| entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=', // SSO URL (Step 2) | |
| issuer: 'https://.../sp', // Entity ID (Step 4) | |
| path: '/auth/saml/callback', // ACS URL path (Step 4) | |
| cert: "MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==", // Certificate without begin and end | |
| }, function (profile, done) { | |
| // Parse user profile data | |
| done(null, { | |
| email: profile.email, | |
| name: profile.name | |
| }) | |
| }) | |
| ) | |
| passport.serializeUser(function (user, done) { | |
| done(null, user) | |
| }) | |
| passport.deserializeUser(function (user, done) { | |
| done(null, user) | |
| }) | |
| app.get('/login', passport.authenticate('saml', { | |
| successRedirect: '/', | |
| failureRedirect: '/login' | |
| })) | |
| app.get('/logout', function (req, res) { | |
| req.logout() | |
| res.end('You have logged out.') | |
| }) | |
| app.post('/auth/saml/callback', passport.authenticate('saml', { | |
| failureRedirect: '/error', | |
| failureFlash: true | |
| }), function (req, res) { | |
| res.redirect('/') | |
| }) | |
| // Securing every path in production. | |
| app.all('*', function (req, res, next) { | |
| if (req.isAuthenticated() || process.env.NODE_ENV !== 'production') { | |
| next() | |
| } else { | |
| res.redirect('/login') | |
| } | |
| }) |
| # https://github.com/bergie/passport-saml | |
| yarn add passport passport-saml |
I think I figured it out. I got the SSO from Step 2, and defined an issuer and path for the SamlStrategy.
When I test the login route it enters a redirect loop and I don't know what causes it.
Basically the URL is as follows https://accounts.google.com/o/saml2/idp?idpid=XXXXXXXXX&SAMLRequest=<message> where the message changes continuously.
I'm not sure if I set the issuer correctly, or it's something else.
Hi @gabrielmoncea
passport.use(new SamlStrategy({
protocol: 'https://',
entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=`Here put the id`', // SSO URL (Step 2)
issuer: 'ID d'entité', // Entity ID (Step 4)
callbackUrl: 'URL ACS',
identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
....
According to your configuration, your URL ACS should be https://yourdomain.com/auth/saml/callback and your issuer (Entity ID) should be something like https://yourdomain.com/sso/id
Does it helps ?
Yes thank you! I managed to make it work, after I realised that the issuer is just a string. I thought it should be a route and that route should do something.
Also, according to the documentation you should have a middleware on the callback route
bodyParser.urlencoded({extended: false}). I think it was redirecting me because I didn't have it.
on logout, do we need to clear cookie session explicitly?
at the time of writing this comment this gist provided following example configuration:
...
passport.use(new SamlStrategy({
protocol: 'https://',
entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=', // SSO URL (Step 2)
issuer: 'https://.../sp', // Entity ID (Step 4)
path: '/auth/saml/callback' // ACS URL path (Step 4)
}, function (profile, done) {
...That configuration example does not provide cert option. Lack of cert means that if you are/were using passport-saml version < 3.0.0 verification of authn response digital signature is/was silenty skipped. I.e. attacker can impersonate anyone he/she chooses just by posting whatever authn response he/she wants to callback and passport-saml would consume it as if it would be perfectly valid response from IdP. This is remotely exploitable situation.
For additional information see:
@fuxingloh @gabrielmoncea @Hugofromfrance
Hi,
I have changed all the required details and trying to login but the page redirect me to google login page again and again. In another browser its forwarding the request and loading infinitely. Please help me to solve the issue.
I'm trying to find the instructions of how to get the SSO, Entity ID and ACS URL from Google, but I can only find docs where Google is the service provider or you have to login to a service provider.
Can you please help me with these steps?