Reuse the generated keys
Another common practice in SAML-based SSO is to certify request/response XML objects by including XML_Signature. Typically, one reuses the public key for encryption for certification as well. You can generate a new set of keys for this purpose too.
Add the following key-value pair to the SAML strategy config options object
privateCert: PvK,
Add the public key as a signing certificate to your metadata by passing it as the second argument to generateServiceProviderMetadata
function:
app.get("/jhu/metadata", (req, res) => {
res.type("application/xml");
res.status(200);
res.send(samlStrategy.generateServiceProviderMetadata(PbK, PbK));
});
Now run the server and head over to http://localhost:7000/jhu/metadata. Notice the <KeyDescriptor use="signing">
element which is added to metadata XML.
Diff
diff --git a/code/index.js b/code/index.js
index 468616d..25c43d4 100644
--- a/code/index.js
+++ b/code/index.js
@@ -18,6 +18,7 @@ const samlStrategy = new saml.Strategy(
issuer: SP_NAME,
callbackUrl: `${BASE_URL}/jhu/login/callback`,
decryptionPvk: PvK,
+ privateCert: PvK,
},
(profile, done) => {
return done(null, profile);
@@ -64,7 +65,7 @@ app.post(
app.get("/jhu/metadata", (req, res) => {
res.type("application/xml");
res.status(200);
- res.send(samlStrategy.generateServiceProviderMetadata(PbK));
+ res.send(samlStrategy.generateServiceProviderMetadata(PbK, PbK));
});
// Start the server.