SSO implementation with ADFS and nginx

Question

This would be a typical use case but since we are new to this. I want to get opinion on the authentication.

Environment - Node.js, Ngnix, Kong and ADFS

Requirement - We want to use ADFS as our provider and want to authenticate Node.js users via ADFS. Also, we would have some scenarios where one of our APIs would be calling some other API internally and that needs to be authenticated too.

Questions - 1. Is it a good idea to authenticate on Ngnix/Kong level instead of Node.js? 2. We are trying to use SAML for ADFS integration with Ngnix/Kong but it seems like there are not much modules for that. 3. How can we authenticate a API XYZ which can be used via web browser via a Angular app and also can be called internally by another API? There are options to use secrets but is there any module on Ngnix/Kong which would let us do both kind of authentication on same endpoint?

Thanks in advance for any answers, it would be be a big help.

Answer 1

My recommendation is to use a SAML 2.0 compatible toolkit in Node.js/npm. Do not do the authentication in Nginx. This will probably just give you more headaches as it is harder to troubleshoot.

There are no modules that I know of for Nginx/Kong and SAML, which is why I recommend doing it in Node.

To implement ADFS you generate a SAML assertion in whatever app you want, which returns some type of token. APIs generally use some form of bearer token already. The first question you should ask is if the user of the API needs to confirm something. If so you may be better off looking at OAuth.