SAML Authentication Setup

This module handles SAML-based Single Sign-On (SSO) authentication. Here's how to set it up:

  1. Certificate Generation Generate your Service Provider (SP) certificate pair:
# Generate private key
openssl genrsa -out ${SAML_SP_CRT}.pem 2048

# Generate public certificate
openssl req -new -x509 -key ${SAML_SP_CRT}.pem -out ${SAML_SP_CRT}.crt -days 36500
  1. File Structure Setup Place certificates in your project root:
/xyz
├── ${SAML_SP_CRT}.pem     # Your SP private key
├── ${SAML_SP_CRT}.crt     # Your SP public certificate
└── ${SAML_IDP_CRT}.crt    # Identity Provider's certificate
  1. Identity Provider Setup Configure your IdP (e.g., Auth0, Okta) with:
  • Your SP's Entity ID (issuer)
  • Your SP's public certificate (${SAML_SP_CRT}.crt)
  • Your ACS URL (callback URL)
  1. Environment Variables Required variables for SAML strategy initialization:
  # Required Core Settings
  SAML_ACS=http://your-domain/saml/acs
  SAML_SSO=https://your-idp/saml/login
  SAML_ENTITY_ID=your-service-identifier

  # Certificate Paths (without file extensions)
  SAML_SP_CRT=sp_certificate
  SAML_IDP_CRT=idp_certificate

  # Additional Settings
  SAML_SLO=https://your-idp/saml/logout
  SAML_SIGNATURE_ALGORITHM=sha256
  1. SAML Strategy Initialization The strategy is initialized with these components:
samlStrat = new SAML({
  callbackUrl,     // Where SAML responses are received
  entryPoint,      // IdP's SSO endpoint
  issuer,          // Your SP identifier
  idpCert,         // IdP's certificate for validation
  privateKey,      // Your private key for signing
  publicCert       // Your public cert for IdP
});
  1. Security Considerations
  • Keep private keys secure
  • Use strong signature algorithms
  • Configure proper certificate expiry
  • Implement proper session management

Requires

  • module:[@node-saml/node-saml]
  • module:jsonwebtoken
  • module:path
  • module:fs
  • module:/utils/processEnv

Methods

(inner) aclLookUp(email) → {Promise.<(Object|Error)>}

The aclLookUp attempts to find a user record by it's email in the ACL.

The user record will be validated and returned to the requesting saml Assertion Consumer Service [ACS].

Parameters:
NameTypeDescription
emailstring

User email.

Returns:

User object or Error.

Type: 
Promise.<(Object|Error)>

(inner) acs(req, res)

Handles the acs POST request from the idp

Parameters:
NameTypeDescription
reqObject

HTTP request object

resObject

HTTP response object

Properties
NameTypeDescription
req.bodyObject

Request Body

res.statusstring

request status

res.sendfunction

Send response function

res.setHeaderfunction

Set response header

(inner) login(req, res)

Handles the login request from the api.js and redirects to login url.

Parameters:
NameTypeDescription
reqObject

HTTP request object

resObject

HTTP response object

Properties
NameTypeDescription
req.getfunction

Request get function

(inner) logout(req, res)

Handles the logout request from the api.js

Parameters:
NameTypeDescription
reqObject

HTTP request object

resObject

HTTP response object

Properties
NameTypeDescription
req.cookiesObject

Request Cookies

res.setHeaderfunction

Set response header

(inner) logoutCallback(res)

Handles the logoutCallback POST from the idp

Parameters:
NameTypeDescription
resObject

HTTP response object

Properties
NameTypeDescription
res.setHeaderfunction

Set response header

(inner) metadata(res)

Handles the metadata response

Parameters:
NameTypeDescription
resObject

HTTP response object

Properties
NameTypeDescription
res.sendfunction

Send response function

res.setHeaderfunction

Set response header

(inner) saml(req, res)

Handles SAML authentication flow endpoints and operations

Provides endpoints for:

  • /saml/metadata: Returns SP metadata in XML format
  • /saml/login: Initiates SAML login flow
  • /saml/logout: Handles SAML logout
  • /saml/acs: Assertion Consumer Service endpoint
  • /saml/logout/callback: Handles logout callback

Authentication Flow:

  1. User hits login endpoint
  2. Gets redirected to IdP
  3. IdP authenticates and sends SAML response
  4. Response is validated at ACS endpoint
  5. User profile is created from SAML attributes
  6. Optional ACL lookup enriches profile
  7. JWT token created and set as cookie
Parameters:
NameTypeDescription
reqObject

HTTP request object

resObject

HTTP response object

Properties
NameTypeDescription
req.urlstring

Request URL path

req.bodyObject

POST request body

req.queryObject

URL query parameters

req.cookiesObject

Request cookies

req.paramsObject

Route parameters

res.sendfunction

Send response function

res.setHeaderfunction

Set response header

Throws:
  • If SAML is not configured

    Type
    Error
  • If authentication fails

    Type
    Error

(inner) saml_not_configured The SAML service has not been configured correctly.()

Type Definitions

SamlConfig

Configuration for SAML authentication

Type:
  • Object
Properties
NameTypeDescription
callbackUrlstring

URL where IdP sends SAML response (ACS endpoint)

entryPointstring

IdP's login URL for SSO

issuerstring

Identifier/Entity ID for your Service Provider

idpCertstring

Identity Provider's certificate for verification

privateKeystring

Your private key for signing requests

publicCertstring

Your public certificate shared with IdP

logoutUrlstring

URL for single logout (SLO)

wantAssertionsSignedboolean

Whether assertions must be signed

wantAuthnResponseSignedboolean

Whether responses must be signed

signatureAlgorithmstring

Algorithm for signing SAML requests

identifierFormatstring

Format of the Name Identifier

acceptedClockSkewMsnumber

Allowed clock skew in milliseconds

providerNamestring

Name of the Service Provider

logoutCallbackUrlstring

URL for logout callbacks