问题
I am using passport-saml for authentication. For this I have installed
npm install passport passport-saml --save
And I have created my IDP using this blog Auth0.
Initialized passport and defined saml strategy
app.use(passport.initialize());
passport.use(new passportSaml.Strategy(
{
path: "/login/callback",
entryPoint: "https://qpp1.auth0.com/samlp/bZVOM5KQmhyir5xEYhLHGRAQglks2AIp",
issuer: "passport-saml",
// Identity Provider's public key
cert: fs.readFileSync("./src/cert/idp_cert.pem", "utf8"),
},
(profile, done) => {
console.log("Profile : ",profile);
let user = new Profile({ id: profile["nameID"], userName: profile["http://schemas.auth0.com/nickname"] });
return done(null, user);
}
));
And here are the routes
app.get("/login",
passport.authenticate("saml", (err, profile) => {
// control will not come here ????
console.log("Profile : ", profile);
})
);
app.post("/login/callback",
(req, res, next) => {
passport.authenticate("saml", { session: false }, (err, user) => {
req.user = user;
next();
})(req, res, next);
},
RouteHandler.sendResponse
);
Now this is working fine but I have some questions
1) What does issuer mean in saml strategy
2) Why I need to use passport.authenticate in two URL mappings. I don't understand why it is required in /login/callback request. And even control will not come to /login request's function that I have passed in passport.authenticate method?
What is the logic behind this? Is this useful in any scenario?
回答1:
We're just finishing up a multi-tenant passport-saml implementation. Through our research, test, and development cycle we have found the following:
- "issuer" seems to map to the EntityID in the SAML request/response assertions.
- The authenticate on the GET /login gives you SP-initiated flow capability. An AuthNRequest will be sent to the IdP. The user will authenticate (or is already authenticated) and then the IdP will make the callback to the assertion consumer service endpoint. In your case POST /login/callback authenticate. The POST /login/callback endpoint is the IdP-initiated SAML flow.
To learn how to integrate with our application, we started with just IdP-initiated flow with the ACS callback. Our very first customer which we integrated with was successful. However, the very first question they asked was, what URL should we use for SP-initiated flow? :-) I was able to get the SP-initiated flow working soon after.
I've tested this using both Salesforce developer and SSO Circle as test IdPs.
Hope this helps.
来源:https://stackoverflow.com/questions/47711518/passport-saml-strategy-implementaion-in-nodejs