Node.js SAML implementation with OneLogin

Question

I am looking to setup our application in the application catalog of OneLogin, thus I need to create a SAML integration, as I understand it. I do see that they have toolkits available for this, but I am working in Node.js and there is no toolkit for that environment.

I have been reading their documentation as well as other posts and think that the process is something like the following: 1) Make a request to OneLogin to create the application and add it to their catalog. 2) My application needs to have a route point that I will provide to OneLogin which will be used as the redirect when someone clicks the icon for our app. 3) A user clicking on the icon for my app in the catalog will tokenize the user and send that to my defined route point with the information passed as a SAML request / XML. 4) My route point will need to consume the SAML request / XML and then will perform my internal login process. The information passed to my route point by OneLogin will include the necessary information for my site, like first name, last name, and email address. I will then do my internal application with that information and if it validates to an existing user, I would count that as a successful login and then let them continue. If they are not an existing user, I would send them through a user creation type form, but could default information from the SAML request / XML from OneLogin, or could just automatically create the user.

Does that seem like I have a high level understanding of the process?

Does anyone have examples in Node.js?

I was going to use the passport-SAML package.

Answer 1

Yes you're on the right track.

Passport-SAML works well for Express apps https://github.com/bergie/passport-saml

Your Passport SAML Strategy configuration should look something like this.

passport.use(new SamlStrategy(
  {
    path: '/login/callback',
    entryPoint: 'https://{SUBDOMAIN}.onelogin.com/trust/saml2/http-redirect/sso/{APP_ID}',
    issuer: 'passport-saml'
  },
  function(profile, done) {
    console.log(profile);
    return done(null, profile);
  })
);

passport.serializeUser(function(user, done) {
  done(null, user);
});

passport.deserializeUser(function(obj, done) {
  done(null, obj);
});

Be sure to use the SLO Endpoint that is provided when configuring your app via the OneLogin portal.

Then setup your routes to use Passport

// Initiates an authentication request with OneLogin
// The user will be redirect to OneLogin and once authenticated
// they will be returned to the callback handler below
app.get('/login', passport.authenticate('saml', {
  successReturnToOrRedirect: "/"
}));

// Callback handler that OneLogin will redirect back to
// after successfully authenticating the user
app.post('/login/callback', passport.authenticate('saml', {
  callback: true,
  successReturnToOrRedirect: '/users',
  failureRedirect: '/'
}))

You also need to make sure you have set the ACS (Consumer) URL to your apps callback url and that the user you are testing with has access to the app.