Nodejs SAML implementation - Not able to get SAML response data - node.js

I am trying to implement SAML authentication through nodejs. We got issuer id and assertion url (assume abc.com) from the third party SAML maintenance team.
I have tried both the following two libraries.
https://github.com/lmarkus/passport-saml-encrypted
https://www.npmjs.com/package/saml2-js#note_options
I am facing following issue. Assume i am currently in the url
http://127.0.0.1:58374/index.html#/home. Now if click login button, it is going to the identity Url. After giving the user credentials, it validates and directly redirecting to different url abc.com which is given by third-party maintenance team. Whatever callback url, i am giving at backend it didn't use.
My problem is after providing the user credentials, control is not coming back to backend node server where i can fetch SAML response. Just identity portal directly redirects to the given url. So not able to get the SAML response data.
How do i can recieve the SAML response after login validation before re-directing. Kindly share your thoughts.
thanks
r karthik.

Related

Login SSO: get claims from msal azure authentication response

We have to develop a integration to a external login provided by Azure AD (SAML 2.0).
Our system uses react for the front-end and python for the backend. The login workflow should works like this:
Front-end Login Page --> Azure - Success Login --> Azure requests to our backend success URL with user info
Everything is working fine and after a success login the Azure request arrives to our backend server. The problem is the way to read that requests and how to extract the basic information (user, email....).
We don't see any info in body or headers, only some encoded params in the url. The requests received is like this:
https://<MY_DOMAIN>#code=<RARE_CODE>&state=<BASE64_ENCODE_JSON>&session_state=<UUID_CODE>
The information of the logged user (claims) is supposed to be there, in any of those params, probably encoded in the "code" parameter. I think there must be a way to decode that information but I can't find answers in any documentation.
Any in-house solution to be able to recover those claims and access the user's login data?

Able to have interactive login for calls to API Management service?

We have a backend service that can return a json result (Elasticsearch result) or an interactive browser web page (Kibana) based on the route. This service is gated behind an API Management service. Our developers need to be able to access the web page (Kibana). We are currently using a client certificate and we have it set to require this in our API definition. When browsing to the path in the browser, the user is prompted for the cert and the connection is made.
I would like to get rid of having to manage the certificate and instead use AAD to allow only users in a specific group to be able to access. I understand how to do this when making an API call. Is it possible to also have an experience similar to the cert where if the user is not logged in, they are prompted to log in, and then if they are in the correct group, access would be allowed?
Thanks
I imagine you want to enforce authentication at APIM level and not in Kibana. For that you'll have to handle two flows:
Initial flow, when non authenticated user requests URL, you should of check for persistent auth, possible in Cookie header and if not found - redirect user to login.microsoft.com.
Returning flow, when Azure AD redirects user back to APIM with a token, you'll need to validate that token and add it to Set-Cookie header, better encrypted.
And finally when any call is made also check and validate the cookie to see if it has expired.

Accessing Third Party Apps After Creating A Session Via API Token

I've scoured the api docs, as well as StackOverflow, and I've yet to find the answer to my question. And it is possible I'm misunderstanding how the system works.
Here's the scenario our client wants:
User logs into our website
At which point we authenticate the user in our system, and One Login via the api.
After the user logs into our dashboard, they can click an link and be redirected to their third party analytics app due to the fact that I've created a new session with One Login.
Here are the steps I've completed.
I've successfully received an access token via --> https://developers.onelogin.com/api-docs/1/oauth20-tokens/generate-tokens
I've successfully used the access token to generate a session login token via --> https://developers.onelogin.com/api-docs/1/users/create-session-login-token
I've successfully used the session login token to create a new session.
I'm receiving the proper cookies from One Login after making the create new session request, and - at that point - if I enter the URL onelogin.com/login, I am taken directly to the dashboard.
At this point I know I'm properly authenticated with One Login. However, I'm not sure how to directly access a third party app from a link on our website.
Thanks.
Two ways:
If the app supports SP-initiated SAML, just navigate the user to the application and it'll do the whole SAML flow- App redirects to OneLogin - OL authenticates user (because you have a session) --- redirects SAML to app
Use the launch endpoint - You can create a URL to an app by using this format: https://app.onelogin.com/launch/{app-id}. For example, you can provide a link to an app like this:
Time Reporting
Details on that endpoint can be found here: https://developers.onelogin.com/api-docs/1/embed-apps/get-apps-to-embed-for-a-user
Take note that you're probably going to want to use the optional flag that makes sure to redirect to your login page, not OL's if you've built a login facade.

How do I debug my SSO SAML integration with zendesk

I am setting up a single sign on SAML service with zendesk. I am writing a custom SAML server using node/express and using node-samlp.
Zendesk is the SP,
My SAML server has its own IdP
The user steps are as follows:
Navigates to account.zendesk.com and gets redirected to account.com/login?SAMLRequest=asdfasdfafsd
User then enters credentials and posts to the node server.
At the server I am able to parse* the SAMLRequest, verify the user and give the user a SAMLResponse.
The user receives from the node server a SAMLResponse and is redirected to: account.zendesk.com?SAMLResponse=asdfasdf&RelayState=xxx
At that point the user gets a page not found. I am not sure what I'm doing wrong, at this point I'm guessing that my SAMLResponse is either badly formatted or I am redirecting the user to the wrong address.
PS: initially samlp didn't work right out of the box, I forked the repo and updated a couple dependencies and it started to work.
*I was unable to parse the SAMLRequest from zendesk initially. When I used decodeURIComponent on the query param, there were new line characters and white spaces which I replaced with a '+' which made it work. Then I realized that their query param seems to not be URI encoded...
For one thing there is no such thing as a SAML Redirect Binding for the SAML Response. You can send the SAML Response as a form-encoded parameter in an HTTP POST, but you cannot pass it as a query parameter in a redirect. Your SAML IDP implementation is not spec-compliant and Zendesk may be rejecting the message because of that.
See http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf#page=16 :
Identity Provider issues to Service Provider In step 5, the identity provider issues a message to be delivered by
the user agent to the service provider. Either the HTTP POST, or HTTP
Artifact binding can be used to transfer the message to the service
provider through the user agent. The message may indicate an error, or
will include (at least) an authentication assertion. The HTTP Redirect
binding MUST NOT be used, as the response will typically exceed the
URL length permitted by most user agents.
Indeed, as #hans-z already mentioned, a SAMLResponse is always sent over POST! You can trigger this browser POST by serving a page that automatically submits a form (containing the SAMLResponse) on page load (through JavaScript).
Since you're sending over POST, your SAMLResponse should not be URL encoded anymore.

Using OAuth instead of Basic authentication?

We have a web service, which currently uses Basic Auth over https to authenticate user requests. We also have a website which uses the service, and a native Windows client, which also uses the web service. I've read about OAuth, and it seems like it's always used for giving or getting access to external resources, i.e. delegation, but I'm trying to understand if it's a replacement for Basic Auth.
I'm not quite sure how all the parts fit together. Do you use Basic over https to the website to retrieve a secret and then have the javascript which is making requests to the REST services authenticate to the web service using OAuth instead of Basic?
It seems that at some point the user needs to enter their username and password into a form. I'm not sure what typically happens next. Is this even a use case for OAuth?
If you have local database accounts for the users (Resource owners) then you can replace the basic authentication with the one of OAuth flow named "Resource Owner Password Credentials" flow.
It is very simple flow where you issue HTTP post to an end point specified in your HTTP server usually named /token The content-type for this HTTP Post action is x-www-form-urlencoded, so the post body will contain something like this grant_type=password&username=Taiseer&password=SuperPass
One the request is sent to the /token end point the server will validate the user credentials against your database store, and if all is valid it should generate a token (signed string) which contains all the claims for this resource owner (user). Then your client application should present this token in the Authorization header with each call to any protected end point using bearer scheme.
This token expires after certain period and you can configure this from the AuthZ server. You can read my detailed blog post Token Based Authentication to get more details.

Resources