Thursday, February 18, 2016

Node : Federating with ADFS via WS-Fed

First read Node : Setting up the SSL certificates for Express.

The standard authentication mechanism for Node.js is passport.

Searching in the site for "WS-Fed" shows no hits.

Searching for "SAML" shows three:
The only one that supports WS-Fed is the second one. This is developed by Auth0 who work a lot in this space.

There is also this one : AzureAD/passport-azure-ad.

This supports WS-Fed, SAML and OpenIDConnect / OAuth 2.0. It's developed by Microsoft. Unfortunately, it was developed on Express 3 whereas the latest download is Express 4. A lot has changed and this release does not currently work on Express 4.

So we'll go with the second one

A Gist of the code is here.

On the ADFS side, we need a RP. There's no metadata so do it manually.

The identifier "urn:node:wsfedapp" matches the realm in the code.

The thumbprint in the code is the thumbprint of the ADFS signing certificate.

Set "identityProviderUrl" to your ADFS URL.

Set the callback URL:


Normal claims rules:

Run up the code in the command prompt and then you'll see:

C:\...>node ws-fed-auth0
Server started at port 3000

Browse to:


and you'll see:

hello world 

Browse to:


and you'll be redirected to ADFS, authenticate and then you'll see:

you have access to secured resources

If you look in the command prompt, you'll see the Profile displayed:

 C:...\Node.js>node ws-fed-auth0
Server started at port 3000
{ sessionIndex: undefined,
  '': 'Joe',
  '': 'Bloggs',
  '': '',
  '': 'Joe Bloggs',
  issuer: 'http://my-adfs/adfs/services/trust',
  email: '' }
In Serializer
In DeSerializer


No comments: