molekilla/howto-saml-cookie.md

## howto-saml-cookie.md

      
    Raw
  

              howto-saml-cookie.md
            
          
Implement hapi-auth-cookie first.
Add hapi-passport-saml.

 server.auth.strategy('single-sign-on', 'saml', { ... });
 server.auth.strategy('session', 'cookie', true, { ... })
     

Add SAML login handler: This handler manages SAML login request and redirects to initial secure page (similar to hapi-auth-cookie)

 plugin.route({
    method: 'GET',
    path: '/saml',
    config: {
      auth: {
        mode: 'try',
        strategies: ['single-sign-on']
      },
      plugins: {
        'hapi-auth-cookie': {
          redirectTo: false
        }
      },
      handler: samlCtrl.saml,
    }
  });
 
 exports.saml = function (request, reply) {
    console.log('is auth', request.auth);

    if (request.auth.isAuthenticated) {
        return reply().redirect('/welcome');
    }

    return reply(`Not Authenticated, click to login with cookie <a href="/cookie-creds">cookie</a>.`);
}


Any secure route must have SAML as the last strategy.

  plugin.route({
   method: 'GET',
   path: '/welcome',
   config: {
     auth: {
       mode: 'required',
       strategies: ['session', 'single-sign-on']
     },
     handler: samlCtrl.main,
   }
 });
 
 exports.main = function (request, reply) {
   console.log('is auth', request.auth);

   if (request.state && request.state.session && request.state.session.sid) {
       return reply(`<a href="/cookie-logout">Click to logout</a>.`);
   }
   return reply(`Secure page for user ${request.auth.credentials.username}. <a href="/sso/v1/logout">Click to logout</a>.`);
}


Add cookie check in hapi-auth-cookie validateFunc

server.register(serverPlugins, function (err) {
 server.auth.strategy('single-sign-on', 'saml', schemeOpts);
 server.auth.strategy('session', 'cookie', true, {
       password: 'password-should-be-32-characters',
       cookie: 'session',
       redirectTo: '/login',
       isSecure: false,
       isSameSite: false,
       isHttpOnly: false,
       validateFunc: function (request, session, callback) {
         if (session && session.username) {
           // saml
           return callback(null, true)
         }
         if (session && session.sid) {
           // cookie
           return callback(null, true)
         }
         // 401
         return callback(true);           
       }


Because both strategies shared the same authenticated credentials, both cookie state needs to merge. For that, use hapi-passport-saml assert hook. This is sample code, you can use Object.assign or similar.

    assertHooks: {
    onResponse: (profile, req) => {
      console.log(profile)

      const username = profile['urn:oid:2.5.4.4'];        
      const samlCreds = { ...profile, username }; // or append existing cookie

      // Save SAML props for cookie creds
      req.cookieAuth.set(samlCreds)

      return samlCreds
    }

Known Issues

Logout

Use ngrok to test SAML Logout, SAML requires callbacks to a public facing url.
Incomplete login

If either strategy login sequence are not completed, you might get 401 Unauthorized or 200 JSON with an error message. In that case use try mode and handle the fallback.
hapi-auth-cookie redirect ignore setting

  plugin.route({
   method: 'GET',
   path: '/saml',
   config: {
     auth: {
       mode: 'try',
       strategies: ['single-sign-on']
     },
     plugins: {
       'hapi-auth-cookie': {
         redirectTo: false
       }
     },
     handler: samlCtrl.saml,
   }
 });

 // Get cookie creds
 plugin.route({
   method: 'GET',
   path: '/cookie-creds',
   config: {
     auth: {
       mode: 'try',
       strategies: ['session']
     },
     plugins: {
       'hapi-auth-cookie': {
         redirectTo: false
       }
     },
     handler: samlCtrl.getCreds,
   }
 });