/user/saml

The SAML user module exports the saml method as an enpoint for request authentication via SAML.

The module requires the saml2-js module library to be installed. The availability of the module [required] is tries during the module initialisation.

The SAML Service Provider [sp] and Identity Provider [idp] are stored in module variables.

Succesful declaration of the sp and idp requires a Service Provider certificatate key pair ${process.env.SAML_SP_CRT}.pem and ${process.env.SAML_SP_CRT}.crt in the XYZ process root.

An Assertation Consumer Service [ACS] endpoint must be provided as process.env.SAML_ACS

The idp requires a certificate ${process.env.SAML_IDP_CRT}.crt, single sign-on [SSO] login url process.env.SAML_SSO and logout url process.env.SAML_SLO.

Requires

Methods

(inner) acl_lookup(email) → {Promise.<(Object|Error)>}

The acl_lookup attempts to find a user record by it's email in the ACL.

The user record will be validated and returned to the requesting saml Assertion Consumer Service [ACS].

Parameters:
NameTypeDescription
emailstring

User email.

Returns:

User object or Error.

Type: 
Promise.<(Object|Error)>

(inner) saml(req, res)

The saml method requires the sp and idp module variables to be declared as saml2 Service and Identity provider.

The req.url path is matched with either the metadata, login, or acs methods.

The saml metadata will be sent as application/xml content if requested.

The saml/login request path will redirect the request to a saml login request url created by the Service Provider [sp].

The sp will assert a post body sent to the saml/acs endpoint.

A lookup of the ACL user record will be attempted by the acl_lookup method.

The acl record with the user roles will be assigned to the user object from the saml token email.

The user object is signed as a JSON Web Token and set as a cookie to the HTTP response header.

Parameters:
NameTypeDescription
reqObject

HTTP request.

Properties
NameTypeDescription
urlstring

Request path.

resObject

HTTP response.