The configuration options
Here are the configuration options we will use
entryPoint
entryPoint: JHU_SSO_URL,
where JHU_SSO_URL
is declared as
const JHU_SSO_URL =
"https://idp.jh.edu/idp/profile/SAML2/Redirect/SSO";
The entryPoint
is an endpoint provided by the SSO software solution where we will send our request to in order to let the user authenticate. This endpoint is provided in the IdP metadata XML.
Looking at JHU SSO metadata XML at https://idp.jh.edu/idp/shibboleth, you'll find they allow for several options (including using a POST endpoint) but the entity with Binding
of urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
is what gives the familiar login (and sign-off) page that students are used to.
callbackUrl
callbackUrl: `${BASE_URL}/jhu/login/callback`,
The callbackUrl
is a POST endpoint in SP (our application) where the IdP will post back the assertions after a successful user authentication.
When you develop your server locally, the BASE_URL
is going to be localhost (e.g. http://localhost:7000/). However, JHU does not accept a locally running server as a trusted SP. So, you need to deploy your server! For example, I have deployed this demo app on Heroku and it runs on https://glacial-plateau-47269.herokuapp.com. Therefore, I've set the BASE_URL
as:
const BASE_URL =
"https://glacial-plateau-47269.herokuapp.com";
issuer
issuer: SP_NAME,
The issuer
is a globally unique identifier for an SP. This is basically our app's name. It is common practice to user your app's domain name in here. So, I've set SP_NAME
as:
const SP_NAME = "glacial-plateau-47269";
Putting it all together
This is how the code snippet for configuration of SAML strategy looks like right now:
const saml = require("passport-saml");
const JHU_SSO_URL = "https://idp.jh.edu/idp/profile/SAML2/Redirect/SSO";
const SP_NAME = "glacial-plateau-47269";
const BASE_URL = "https://glacial-plateau-47269.herokuapp.com";
// Setup SAML strategy
const samlStrategy = new saml.Strategy(
{
// config options here
entryPoint: JHU_SSO_URL,
issuer: SP_NAME,
callbackUrl: `${BASE_URL}/jhu/login/callback`,
},
(profile, done) => {
return done(null, profile);
}
);
// Tell passport to use the samlStrategy
passport.use("samlStrategy", samlStrategy);
Diff
diff --git a/code/index.js b/code/index.js
index 4eb9a33..70c4a15 100644
--- a/code/index.js
+++ b/code/index.js
@@ -2,10 +2,17 @@ const express = require("express");
const passport = require("passport");
const saml = require("passport-saml");
+const JHU_SSO_URL = "https://idp.jh.edu/idp/profile/SAML2/Redirect/SSO";
+const SP_NAME = "glacial-plateau-47269";
+const BASE_URL = "https://glacial-plateau-47269.herokuapp.com";
+
// Setup SAML strategy
const samlStrategy = new saml.Strategy(
{
// config options here
+ entryPoint: JHU_SSO_URL,
+ issuer: SP_NAME,
+ callbackUrl: `${BASE_URL}/jhu/login/callback`,
},
(profile, done) => {
return done(null, profile);