Reputation: 65
How to test saml2-js with free IdP like samling?
I am very new to SAML authentication so a lot of the concepts are still new to me. My original goal was to create a node.js script that can do SAML authentication.
After doing some research I was able to get a bit more specific, and now my goal is to make a node.js script that works as a Service Provider and connects to a free online Identity Provider in order to do SAML authentication.
For my Service Provider, I would like to use something like saml2-js and connect it to an Identity Provider like samling.
I have tried using the example provided here (Express example from saml2-js) but I do not understand how to connect it to samling or what to do in samling once it is connected.
To be more specific, these are the values I'm having problems populating:
// Create service provider
var sp_options = {
entity_id: "https://sp.example.com/metadata.xml",
private_key: fs.readFileSync("sp_privatekey.pem").toString(),
certificate: fs.readFileSync("sp_certificate.pem").toString(),
assert_endpoint: "https://sp.example.com/assert"
};
// Create identity provider
var idp_options = {
sso_login_url: "https://idp.example.com/login",
sso_logout_url: "https://idp.example.com/logout",
certificates: [fs.readFileSync("idp_certificate.pem").toString()]
};
I'm also open to alternatives like passport-saml, as long as I can connect to samling or something similar.
Thanks!
Upvotes: 2
Views: 3989
Answers (1)
Reputation: 81
I'm not familiar with samling, but a quick look at their site seems to indicate they perform IDP-initiated SSO (that is, a sign on that comes from the identity provider). Additionally, they appear to not encrypt the assertions they send.
For that reason, you don't need to worry about a lot of those settings. The private_key and certificate in sp_options are used for decrypting assertions, so you can just remove those completely. The entity_id setting should be the IDP's Issuer (which appears to be http://capriza.com/samling by default). The assert_endpoint is used for SP-initiated flows, so you can just leave that as the default, as it won't be used here. Additionally, because the SAML Response does not encrypt the assertion, you need an allow_unencrypted_assertion flag set to true.
For the idp_options, the sso_login_url and sso_logout_url point to the URLs where your server can be found. These are exposed in the metadata file, but you are entering that manually into samling, so you can leave those default as they will also be unused. Finally, the certificates array should contain samling's signing certificate, which appears to be the text box in the bottom right of the page. You can copy that to a file and then set that path in the fs.readFileSync.
The final configuration should be something like this:
// Create service provider
var sp_options = {
entity_id: "http://capriza.com/samling",
assert_endpoint: "https://sp.example.com/assert",
allow_unencrypted_assertion: true
};
// Create identity provider
var idp_options = {
sso_login_url: "https://idp.example.com/login",
sso_logout_url: "https://idp.example.com/logout",
certificates: [fs.readFileSync("idp_certificate.pem").toString()]
};
Where idp_certificate.pem contains the public key in the bottom right of the page. Then simply fill in anything you want as the Name Identifier and http://localhost:3000/assert as the Callback URL in samling.
Upvotes: 3
Related Questions
- How do I set up a local test SAML2.0 Identity Provider?
- How to create a SAML IDP that authenticates with an API from scratch
- Where to test IdP-Initiated SSO?
- Process SAML IdP response and assertion in the browser
- how to create own IDP for SAML in java or node
- Implementing SAML Identity Provider in Node for Offline app?
- SAML 2.0 Single Sign on in Web-application (SPA)
- Testing SSO without IDP
- SAML2 test client
- Test our SAML Identity Provider software?