WSFederation example identity provider using sql server.
CSS JavaScript
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

This is an Security Token Service example that speaks WS-Federation with Saml11 tokens fully implemented in node.js.

Users are authenticated with an SQL-Server table where user names and salted passwords are stored, thus the name sql-federation-server.

Since it uses node-sqlserver it can run only on Windows for now but you can easily swap this to some other thing like Postgresql or mongodb.


There are few environment variables you have to set in order to run this app:

  • SQL_CONNECTION_STRING: this is the connection string to sql server.
  • WSFED_ISSUER: The issuer of the WS-Federation tokens.
  • WSFED_CALLBACKS_URLS: Comma-separated valid callback urls.
  • SITE_NAME: The title to display in the login page.
  • SESSION_SECRET: The secret of the cookie-session for single sign-on.

If you deploy this using iisnode, copy and Web.config-sample into Web.config and modify the settings there.


In order to sign the saml tokens, you need a valid certificate with public and private key.

You can generate a self signed certificate with the following command:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj "/" -keyout cert.key  -out cert.pem

Copy the two generated files to the certs folder and replace the ones provided as example.

Customize the user validation mechanism

You can customize the way user and password are validated by changing the user.js file.

Customize the login form

By default the login looks like this:

You can change views/login.ejs, public/site.css and public/imgs/logo.png.

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.




This project is licensed under the MIT license. See the LICENSE file for more info.