First read Node : Setting up the SSL certificates for Express.
The standard authentication mechanism for Node.js is passport.
Searching in the site for "WS-Fed" shows no hits.
Searching for "SAML" shows three:
The only one that supports WS-Fed is the second one. This is developed by Auth0 who work a lot in this space.
There is also this one : AzureAD/passport-azure-ad.
This supports WS-Fed, SAML and OpenIDConnect / OAuth 2.0. It's developed by Microsoft. Unfortunately, it was developed on Express 3 whereas the latest download is Express 4. A lot has changed and this release does not currently work on Express 4.
So we'll go with the second one
A Gist of the code is here.
On the ADFS side, we need a RP. There's no metadata so do it manually.
The identifier "urn:node:wsfedapp" matches the realm in the code.
The thumbprint in the code is the thumbprint of the ADFS signing certificate.
Set "identityProviderUrl" to your ADFS URL.
Set the callback URL:
https://localhost:3000/login/callback
Normal claims rules:
Run up the code in the command prompt and then you'll see:
C:\...>node ws-fed-auth0
Server started at port 3000
Browse to:
https://localhost:3000/
and you'll see:
hello world
Browse to:
https://localhost:3000/secure
and you'll be redirected to ADFS, authenticate and then you'll see:
you have access to secured resources
If you look in the command prompt, you'll see the Profile displayed:
C:...\Node.js>node ws-fed-auth0
Server started at port 3000
{ sessionIndex: undefined,
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname': 'Joe',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname': 'Bloggs',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'joeb@abc.com',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Joe Bloggs',
issuer: 'http://my-adfs/adfs/services/trust',
email: 'joeb@abc.com' }
In Serializer
In DeSerializer
Enjoy!
No comments:
Post a Comment