Last active
February 24, 2023 16:16
-
-
Save fuxingloh/4d6e1caa24237c5870809fe24c47726f to your computer and use it in GitHub Desktop.
How to use express.js and passport.js with G Suite SAML Apps SSO
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const express = require('express') | |
| const SamlStrategy = require('passport-saml').Strategy | |
| const passport = require('passport') | |
| const cookieSession = require('cookie-session') | |
| const cookieParser = require('cookie-parser') | |
| // Create express instance | |
| const app = express() | |
| // Configure your cookie session or alternatives | |
| app.use(cookieParser()) | |
| app.use(cookieSession({ | |
| name: 'session', | |
| keys: ['super secret'], | |
| maxAge: 2 * 24 * 60 * 60 * 1000 // 2 days | |
| })) | |
| app.use(passport.initialize()) | |
| app.use(passport.session()) | |
| passport.use(new SamlStrategy({ | |
| protocol: 'https://', | |
| entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=', // SSO URL (Step 2) | |
| issuer: 'https://.../sp', // Entity ID (Step 4) | |
| path: '/auth/saml/callback', // ACS URL path (Step 4) | |
| cert: "MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==", // Certificate without begin and end | |
| }, function (profile, done) { | |
| // Parse user profile data | |
| done(null, { | |
| email: profile.email, | |
| name: profile.name | |
| }) | |
| }) | |
| ) | |
| passport.serializeUser(function (user, done) { | |
| done(null, user) | |
| }) | |
| passport.deserializeUser(function (user, done) { | |
| done(null, user) | |
| }) | |
| app.get('/login', passport.authenticate('saml', { | |
| successRedirect: '/', | |
| failureRedirect: '/login' | |
| })) | |
| app.get('/logout', function (req, res) { | |
| req.logout() | |
| res.end('You have logged out.') | |
| }) | |
| app.post('/auth/saml/callback', passport.authenticate('saml', { | |
| failureRedirect: '/error', | |
| failureFlash: true | |
| }), function (req, res) { | |
| res.redirect('/') | |
| }) | |
| // Securing every path in production. | |
| app.all('*', function (req, res, next) { | |
| if (req.isAuthenticated() || process.env.NODE_ENV !== 'production') { | |
| next() | |
| } else { | |
| res.redirect('/login') | |
| } | |
| }) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://github.com/bergie/passport-saml | |
| yarn add passport passport-saml |
Hi,
I have changed all the required details and trying to login but the page redirect me to google login page again and again. In another browser its forwarding the request and loading infinitely. Please help me to solve the issue.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
at the time of writing this comment this gist provided following example configuration:
That configuration example does not provide
certoption. Lack ofcertmeans that if you are/were usingpassport-samlversion< 3.0.0verification of authn response digital signature is/was silenty skipped. I.e. attacker can impersonate anyone he/she chooses just by posting whatever authn response he/she wants to callback andpassport-samlwould consume it as if it would be perfectly valid response from IdP. This is remotely exploitable situation.For additional information see:
@fuxingloh @gabrielmoncea @Hugofromfrance