The configuration options

Here are the configuration options we will use

`entryPoint`

entryPoint: JHU_SSO_URL,

where JHU_SSO_URL is declared as

const JHU_SSO_URL = 
    "https://idp.jh.edu/idp/profile/SAML2/Redirect/SSO";

The entryPoint is an endpoint provided by the SSO software solution where we will send our request to in order to let the user authenticate. This endpoint is provided in the IdP metadata XML.

Looking at JHU SSO metadata XML at https://idp.jh.edu/idp/shibboleth, you'll find they allow for several options (including using a POST endpoint) but the entity with Binding of urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect is what gives the familiar login (and sign-off) page that students are used to.

`callbackUrl`

callbackUrl: `${BASE_URL}/jhu/login/callback`,

The callbackUrl is a POST endpoint in SP (our application) where the IdP will post back the assertions after a successful user authentication.

When you develop your server locally, the BASE_URL is going to be localhost (e.g. http://localhost:7000/). However, JHU does not accept a locally running server as a trusted SP. So, you need to deploy your server! For example, I have deployed this demo app on Heroku and it runs on https://glacial-plateau-47269.herokuapp.com. Therefore, I've set the BASE_URL as:

const BASE_URL = 
    "https://glacial-plateau-47269.herokuapp.com";

`issuer`

issuer: SP_NAME,

The issuer is a globally unique identifier for an SP. This is basically our app's name. It is common practice to user your app's domain name in here. So, I've set SP_NAME as:

const SP_NAME = "glacial-plateau-47269";

Putting it all together

This is how the code snippet for configuration of SAML strategy looks like right now:

const saml = require("passport-saml");

const JHU_SSO_URL = "https://idp.jh.edu/idp/profile/SAML2/Redirect/SSO";
const SP_NAME = "glacial-plateau-47269";
const BASE_URL = "https://glacial-plateau-47269.herokuapp.com";

// Setup SAML strategy
const samlStrategy = new saml.Strategy(
  {
    // config options here
    entryPoint: JHU_SSO_URL,
    issuer: SP_NAME,
    callbackUrl: `${BASE_URL}/jhu/login/callback`,
  },
  (profile, done) => {
    return done(null, profile);
  }
);

// Tell passport to use the samlStrategy
passport.use("samlStrategy", samlStrategy);

Diff

diff --git a/code/index.js b/code/index.js
index 4eb9a33..70c4a15 100644
--- a/code/index.js
+++ b/code/index.js
@@ -2,10 +2,17 @@ const express = require("express");
 const passport = require("passport");
 const saml = require("passport-saml");
 
+const JHU_SSO_URL = "https://idp.jh.edu/idp/profile/SAML2/Redirect/SSO";
+const SP_NAME = "glacial-plateau-47269";
+const BASE_URL = "https://glacial-plateau-47269.herokuapp.com";
+
 // Setup SAML strategy
 const samlStrategy = new saml.Strategy(
   {
     // config options here
+    entryPoint: JHU_SSO_URL,
+    issuer: SP_NAME,
+    callbackUrl: `${BASE_URL}/jhu/login/callback`,
   },
   (profile, done) => {
     return done(null, profile);

CS280 Notes

The configuration options

entryPoint

callbackUrl

issuer

Putting it all together

`entryPoint`

`callbackUrl`

`issuer`