I'm using passport-SAML in node js for SAML authentication.
my SAML Saml Strategy
passport.use(new SamlStrategy({
protocol: 'https://',
entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=', // SSO URL (Step 2)
issuer: 'https://.../sp', // Entity ID (Step 4)
path: '/auth/saml/callback' // ACS URL path (Step 4),
cert:"fake certificate"
}, function (profile, done) {
// Parse user profile data
done(null, {
email: profile.email,
name: profile.name
})
})
)
And my login code
app.get('/login', passport.authenticate('saml', {
successRedirect: '/',
failureRedirect: '/login'
}))
I have cloned project from
Git hub
I'm not able to get user details and also not able to print any console log in
'/login' route. How I can achieve this?
Related
We need to be able to login to onelogin and redirect to an APP on clicking a button in our home page. We should also be able to send some custom params. We tried using passport-saml for this but we are getting
The SAMLResponse ID was already processed
Any leads/documentation on how to proceed would be helpful.
Our passport code looks like
passport.use(new SamlStrategy(
{
callbackUrl: '/app/agent-websites/onelogin/callback',
entryPoint: entryPointUrl,
issuer: issuerUrl,
cert: cert,
},
function(profile: any, done: any) {
console.log(profile);
return done(null, profile);
})
);
My application is in nodejs, and im integrating for Paypal authentication using passport-paypal
Middleware code
const PPStrategy = require('passport-paypal').Strategy;
passport.use(
new PayPalStrategy(
{
clientID: 'My Paypal clientID',
clientSecret: 'My PayPal secret Id',
returnURL: 'localhost:4000/paypal/callback',
scope: 'openid'
},
function(identifier, done, next) {
return next(null, identifier);
}
)
);
ppRouter.get('/paypal', passport.authenticate('paypal'));
ppRouter.get(
'/paypal/callback',
passport.authenticate('paypal', { failureRedirect: '/Home' }),
function(req, res) {
//My logic on successful authentication
res.redirect('/Home/Payments');
}
);
The above implementation gives me the error
{"message":"Failed to discover OP endpoint URL"}
I have tried to pass callbackUrl instead of returnUrl URL in the strategy but i get the same issue.
I have registered an OAuth App via my Github account. I am basically trying to authorize my node requests(by sending access_token as part of request cookies) so I can access few APIs on another server. Hence I am using the github-passport2 package. I have setup the github strategy etc. & it seems to be all according to the doc. The flow works well too.
My Issue
After logging into Github(authorized) & getting redirected back to my /auth/github/callback, I ideally should be authorized and should have an access_token in the req. But I don't have it! Because of this I am not able to authorize my future requests with an access_token.
Important to note is that, this access_token is automatically attached when the request is initiated from a browser/client(using withCredentials: true parameter). The same access_token via node doesn't seem to be retrievable.
passport.use(new GitHubStrategy({
clientID: GITHUB_CLIENT_ID,
clientSecret: GITHUB_CLIENT_SECRET,
callbackURL: "http://localhost:8080/auth/github/callback",
},
function(accessToken, refreshToken, profile, done) {
// asynchronous verification, for effect...
process.nextTick(function () {
return done(null, profile);
});
}
));
app.get('/auth/github', passport.authenticate('github', { scope: [ 'user:email' ] }), function(req, res){
// The request will be redirected to GitHub for authentication, so this
// function will not be called.
});
app.get('/auth/github/callback', passport.authenticate('github', { failureRedirect: '/login' }), function(req, res) {
console.log(req); // <- This ideally should have the access_token? but doesn't
});
I have struggling for days on this. Any help is much appreciated.
Still a noob!
I am working on to build a Node application, and I have already setup various required end points. One of the requirements for my project is to use authentication using SAML mechanism. I am using passport-SAML for authentication in my application.
So far, I have been able to setup and use SAML strategy, and my application is able to call the idp entry point, and receive the response back from Idp.
I am unable to understand how do we access the user information returned by idp, so that I can use the SAML returned user information to create and maintain sessions.
const saml = require('passport-saml');
module.exports = function (passport, config) {
passport.serializeUser(function (user, done) {
done(null, user);
});
passport.deserializeUser(function (user, done) {
done(null, user);
});
var samlStrategyOptions = new saml.Strategy(
{
// URL that goes from the Identity Provider -> Service Provider
callbackUrl: config.passport.saml.callback_url,
// path: config.passport.saml.path,
// URL that goes from the Service Provider -> Identity Provider
entryPoint: config.passport.saml.entryPoint,
issuer: config.passport.saml.issuer,
identifierFormat: null,
// Service Provider private key
decryptionPvk: config.passport.saml.decryptionPvk,
// Service Provider Certificate
privateCert: config.passport.saml.privateCert,
// Identity Provider's public key
cert: config.passport.saml.cert,
validateInResponseTo: false,
disableRequestedAuthnContext: true
},
function (profile, done) {
return done(null,
{
id: profile.uid,
email: profile.email,
displayName: profile.cn,
firstName: profile.givenName,
lastName: profile.sn
});
})
// module.exports.samlStrategyOptions = samlStrategyOptions ;
passport.use(samlStrategyOptions);
};
Following are my route controllers for express
router.route('/login')
.get(
passport.authenticate(config.passport.strategy,
{
successRedirect: '/',
failureRedirect: '/login'
})
);
router.route('/login/callback/')
.post(
passport.authenticate(config.passport.strategy,
{
failureRedirect: '/',
failureFlash: true
}),
function (req, res) {
res.redirect('/');
}
);
And this is a SAML snippet of properties that I recieve in response from Idp.
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Shubham123</saml:NameID>
I was getting the same. SO I have used body-parser as middleware
// middleware to parse HTTP POST's JSON, buffer, string,zipped or raw and URL encoded data and exposes it on req.body
app.use(bodyParser.json());
// use querystring library to parse x-www-form-urlencoded data for flat data structure (not nested data)
app.use(bodyParser.urlencoded({ extended: false }));
and then you will get the profile like
{ issuer: '',
sessionIndex: '_x0P5ZeWx-ACSQAulKgVTxSquNsVdac_H',
nameID: 'auth0|5a266569083226773d5d43a9',
nameIDFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
nameQualifier: undefined,
spNameQualifier: undefined,
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier': 'auth0|s9ds',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'myuser#q.com',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'myuser#q.com',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn': 'myuser#q.com',
'http://schemas.auth0.com/identities/default/provider': 'auth0',
'http://schemas.auth0.com/identities/default/connection': 'Username-Password-Authentication',
'http://schemas.auth0.com/identities/default/isSocial': 'false',
'http://schemas.auth0.com/email_verified': 'false',
'http://schemas.auth0.com/clientID': 'bZVOM5KQmhyir5xEYhLHGRAQglks2AIp',
'http://schemas.auth0.com/picture': 'https://s.gravatar.com/avatar/e85e57405a82225ff36b5af793ed287c?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fsu.png',
'http://schemas.auth0.com/nickname': 'myuser',
'http://schemas.auth0.com/identities': '[object Object]',
'http://schemas.auth0.com/updated_at': 'Mon Dec 18 2017 12:14:28 GMT+0000 (UTC)',
'http://schemas.auth0.com/created_at': 'Tue Dec 05 2017 09:22:49 GMT+0000 (UTC)',
getAssertionXml: [Function] }
and create user by extracting data like
{ id: profile["nameID"], userName: profile["http://schemas.auth0.com/nickname"] }
In order to get the user details, in your IDP's console, you have to setup the parameters in SP settings which you want the IDP to return and you'll get them in the assertion.
This is what I did in onelogin:
I'm using the node-saml passport module and I found this example very useful.
To summarize, once the SAML process is resolved, (your IdP is making a POST callback to your handler), the user data is stored in the request object. Now, if you want to get that user data, for example in any GET request, you could do the following:
app.get('/logout', function(req, res) {
console.log('logout');
console.log(req.user);
req.logout();
res.redirect(config.passport.saml.logoutCallback);
});
Where req.user contains all your user data. In the example, req.user contains the following:
{
firstName: 'local givenName',
lastName: 'local lastname',
email: 'testUser#sample.com'
}
I am using the tutorial from www.npmjs.org/package/passport-saml for the SAML. I am a beginner in SAML.
The tutorial says
The SAML identity provider will redirect you to the URL provided by the path configuration
I already have a OpenIdp account. It seems I can successfully login but the redirect URL always sends me to localhost:3000/login/callback which is not present in my code because I changed the 'path' to '/users/login-user-db-saml' or 'www.passporttoken.com:1234/users/login-user-db-saml' (both doesn't work and still sends me to the default login/callback).
I have the code below. What I am doing wrong?
/**start FOR SAML**/
passport.use(new SamlStrategy(
{
path: '/users/login-user-db-saml',
entryPoint: 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php',
issuer: 'passport-saml'
},
function(profile, done) {
findByEmail(profile.email, function(err, user) {
if (err) {
return done(err);
}
return done(null, user);
});
})
);
app.post('/users/login-user-db-sam',
passport.authenticate('saml', { failureRedirect: '/users/login-user-saml', failureFlash: true }),
function(req, res) {
res.redirect('/');
}
);
app.get('/users/login-user-saml',
passport.authenticate('saml', { failureRedirect: '/users/login-user-saml', failureFlash: true }),
function(req, res) {
res.redirect('/');
}
);
/**End for SAML**/
I removed the 'path' from the SAML configuration, and instead use a 'callbackUrl' with the full path to the callback specified. I also set 'issuer' as shown below:
saml : {
entryPoint : 'https://openidp.feide.no/simplesaml/saml2/idp/SSOService.php',
issuer : 'http://192.168.56.101:3000',
callbackUrl : 'http://192.168.56.101:3000/login/callback'
}
You should also configure your SAML SP at OpenIdP on the metadata configuration page: https://openidp.feide.no/simplesaml/module.php/metaedit/edit.php - set the AssertionConsumerServiceURL on the SAML 2.0 tab to be your callbackUrl, and set the entityID to be the 'issuer' above.
Have you considered making your SAML Login route a POST request?
SAML wants it to be POST
The problem is in your strategy configuration; especially issuer. Your configuration point to the entity 'passport-saml', which is configured as is. Define your own entity and create settings you need.