Metadata-based configuration of SAML login code is better than configuring URLs and certificates because it ensures certificates between a ID Provider and application stay in sync. This project provides Metadata-based configuration of the passport-wsfed-saml2 strategy, though it could also be adopted to work with other platforms.
npm install saml2-metadata-config
Basic usage:
var Saml2MetadataConfiguration= require('saml2-metadata-config')
Saml2MetadataConfiguration.configure( {
metadataUrl:'https://adfs.company.com/federationMetadata/2007-06/FederationMetadata.xml'
}).then(function(options){
//options.identityProviderUrl and options.thumbprints populated.
});
Full example:
var passport = require('passport'); //auth library for express
var WsFedSaml2Strategy= require('./node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/index').Strategy; //WS-Federation/SAML plugin for passport
var Saml2MetadataConfiguration= require('saml2-metadata-config') //Metadata Config library
Saml2MetadataConfiguration.configure( {
metadataUrl:'https://adfs.company.com/federationMetadata/2007-06/FederationMetadata.xml',
realm: 'urn:your-relying-party-id, //In ADFS this is the Relying Party Identifier - a URL or URN identifying your app
wreply: 'https://thisapp.company.com/login/callback' //In ADFS, the root of this path (https://thisapp.company.com) must be one of the WS-Federation endpoints
}).then(function(options){
//Configure passport to use WSFED against ADFS
passport.use('wsfed-saml2', new WsFedSaml2Strategy(options,
function (profile, done) {
//Called when the user authenticates. We could lookup a user in DB, etc. For now, just pass the profile as the user.
console.log("Auth with", profile);
if (!profile.email) {
return done(new Error("No email found"), null);
}
done(null, profile); //Profile doesn't have to = user, but for simplicity we do this here. done(null,userFromDb) would also be possible
}));
},
function(e){
console.log(e);
// throw "unable to configure using metadata"; //e;
});