SAML Authentication Setup
This module handles SAML-based Single Sign-On (SSO) authentication. Here's how to set it up:
- Certificate Generation Generate your Service Provider (SP) certificate pair:
# Generate private key
openssl genrsa -out ${SAML_SP_CRT}.pem 2048
# Generate public certificate
openssl req -new -x509 -key ${SAML_SP_CRT}.pem -out ${SAML_SP_CRT}.crt -days 36500
- File Structure Setup Place certificates in your project root:
/xyz
├── ${SAML_SP_CRT}.pem # Your SP private key
├── ${SAML_SP_CRT}.crt # Your SP public certificate
└── ${SAML_IDP_CRT}.crt # Identity Provider's certificate
- Identity Provider Setup Configure your IdP (e.g., Auth0, Okta) with:
- Your SP's Entity ID (issuer)
- Your SP's public certificate (${SAML_SP_CRT}.crt)
- Your ACS URL (callback URL)
- Environment Variables Required variables for SAML strategy initialization:
# Required Core Settings
SAML_ACS=http://your-domain/saml/acs
SAML_SSO=https://your-idp/saml/login
SAML_ENTITY_ID=your-service-identifier
# Certificate Paths (without file extensions)
SAML_SP_CRT=sp_certificate
SAML_IDP_CRT=idp_certificate
# Additional Settings
SAML_SLO=https://your-idp/saml/logout
SAML_SIGNATURE_ALGORITHM=sha256
- SAML Strategy Initialization The strategy is initialized with these components:
samlStrat = new SAML({
callbackUrl, // Where SAML responses are received
entryPoint, // IdP's SSO endpoint
issuer, // Your SP identifier
idpCert, // IdP's certificate for validation
privateKey, // Your private key for signing
publicCert // Your public cert for IdP
});
- Security Considerations
- Keep private keys secure
- Use strong signature algorithms
- Configure proper certificate expiry
- Implement proper session management
- Source
Requires
- module:[@node-saml/node-saml]
- module:jsonwebtoken
- module:path
- module:fs
- module:/utils/processEnv
Methods
(inner) aclLookUp(email) → {Promise.<(Object|Error)>}
The aclLookUp attempts to find a user record by it's email in the ACL.
The user record will be validated and returned to the requesting saml Assertion Consumer Service [ACS].
| Name | Type | Description |
|---|---|---|
email | string | User email. |
- Source
User object or Error.
- Type:
- Promise.<(Object|Error)>
(inner) acs(req, res)
Handles the acs POST request from the idp
| Name | Type | Description |
|---|---|---|
req | Object | HTTP request object |
res | Object | HTTP response object |
| Name | Type | Description |
|---|---|---|
req.body | Object | Request Body |
res.status | string | request status |
res.send | function | Send response function |
res.setHeader | function | Set response header |
- Source
(inner) login(req, res)
Handles the login request from the api.js and redirects to login url.
| Name | Type | Description |
|---|---|---|
req | Object | HTTP request object |
res | Object | HTTP response object |
| Name | Type | Description |
|---|---|---|
req.get | function | Request get function |
- Source
(inner) logout(req, res)
Handles the logout request from the api.js
| Name | Type | Description |
|---|---|---|
req | Object | HTTP request object |
res | Object | HTTP response object |
| Name | Type | Description |
|---|---|---|
req.cookies | Object | Request Cookies |
res.setHeader | function | Set response header |
- Source
(inner) logoutCallback(res)
Handles the logoutCallback POST from the idp
| Name | Type | Description |
|---|---|---|
res | Object | HTTP response object |
| Name | Type | Description |
|---|---|---|
res.setHeader | function | Set response header |
- Source
(inner) metadata(res)
Handles the metadata response
| Name | Type | Description |
|---|---|---|
res | Object | HTTP response object |
| Name | Type | Description |
|---|---|---|
res.send | function | Send response function |
res.setHeader | function | Set response header |
- Source
(inner) saml(req, res)
Handles SAML authentication flow endpoints and operations
Provides endpoints for:
- /saml/metadata: Returns SP metadata in XML format
- /saml/login: Initiates SAML login flow
- /saml/logout: Handles SAML logout
- /saml/acs: Assertion Consumer Service endpoint
- /saml/logout/callback: Handles logout callback
Authentication Flow:
- User hits login endpoint
- Gets redirected to IdP
- IdP authenticates and sends SAML response
- Response is validated at ACS endpoint
- User profile is created from SAML attributes
- Optional ACL lookup enriches profile
- JWT token created and set as cookie
| Name | Type | Description |
|---|---|---|
req | Object | HTTP request object |
res | Object | HTTP response object |
| Name | Type | Description |
|---|---|---|
req.url | string | Request URL path |
req.body | Object | POST request body |
req.query | Object | URL query parameters |
req.cookies | Object | Request cookies |
req.params | Object | Route parameters |
res.send | function | Send response function |
res.setHeader | function | Set response header |
- Source
If SAML is not configured
- Type
- Error
If authentication fails
- Type
- Error
(inner) saml_not_configured The SAML service has not been configured correctly.()
- Source
Type Definitions
SamlConfig
Configuration for SAML authentication
- Object
| Name | Type | Description |
|---|---|---|
callbackUrl | string | URL where IdP sends SAML response (ACS endpoint) |
entryPoint | string | IdP's login URL for SSO |
issuer | string | Identifier/Entity ID for your Service Provider |
idpCert | string | Identity Provider's certificate for verification |
privateKey | string | Your private key for signing requests |
publicCert | string | Your public certificate shared with IdP |
logoutUrl | string | URL for single logout (SLO) |
wantAssertionsSigned | boolean | Whether assertions must be signed |
wantAuthnResponseSigned | boolean | Whether responses must be signed |
signatureAlgorithm | string | Algorithm for signing SAML requests |
identifierFormat | string | Format of the Name Identifier |
acceptedClockSkewMs | number | Allowed clock skew in milliseconds |
providerName | string | Name of the Service Provider |
logoutCallbackUrl | string | URL for logout callbacks |
- Source