Using a custom passport strategy like passport-saml

[hhaidar]

Hey!

I apologize if this has been asked before, but are there more details on how to get a custom strategy (like SAML) working with feathers?

I've tried @petermikitsh's SAML gist but the tokens being generated by the authentication service are not associated with a user (looks like they're anonymous?). It's also not particularly clear if this is the recommended approach and it seems a bit haphazard.

[petermikitsh]

Hi @hhaidar. Quick review of SAML (and its terminology) before we dive into the Feathers side of this. In SAML authentication, there are two actors: (1) the Identity Provider ("IdP") and (2) the Service Provider ("SP"). If you're building a service that relies on external authentication, your service would be considered the SP and the site where users actually login is the IdP.

So usually, when you're using SAML authentication (in my experience at least), you receive HTTP POST requests at a pre-defined endpoint (e.g., /SSO/SAML2) from the IdP. Once you validate the response, you'll have a result object that contains any information the IdP decided to include about the user you're authenticating. (Similar to OAuth, the IdP can pick-and-choose what types of information it shares with the SP). Usually, you'll be given some sort of immutable id to associate with the user, possibly their e-mail address, name, etc-- whatever else the IdP agrees to provide.

So, it'll be up to you to inspect the validated response object for the relevant information you'll need. If the user from the IdP has never logged into your service before, they obviously won't exist in your users database. So you'd need to create a record, or find the existing user's record. Then, you can jump back into feathers and create the authentication token:

const {accessToken} = await app.service('authenticationService').create({}, {payload: {userId: user.id}});

It sounds like (for your use case) there may be no associated user. In that case, you still want to validate the response you receive at your endpoint (to prevent a bad actor from maliciously crafting an authentication request). In this case, after you've validated the response, just create an authentication token, but without associating information, like a userId, like so:

const {accessToken} = app.service('authenticationService').create({}, {payload: {}});

How you want to wire it up, is up to you. But you're going to have to take the generated accessToken and have the user persist it, using cookies, local storage, etc. It's not haphazard if you write unit tests for this end point and ensure it functions as you expect :)

Overall, the question you pose ...is it possible to integrate Feathers with SAML authentication... the answer is yes! I think it's easier to grasp the implementation with a solid understanding of (1) how the SAML protocol works and (2) Feather's authentication API's.

[hhaidar]

@petermikitsh thank you so much, ...create({}, {payload: {}}); was what I was looking for (heck, it's not documented!). I can now generate a a JWT with a valid userId.

[petermikitsh]

@hhaidar There's some documentation here: https://docs.feathersjs.com/api/authentication/server.html#servicecreatedata but you're right, it isn't complete -- it doesn't explain how to add a userId to a JWT.

[daffl]

This is another good time for me to mention that the documentation is easily and freely editable by anybody with a GitHub account. Any corrections or additions would be very welcome.

[daffl]

Closed via feathersjs/docs#1225

[lock]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue with a link to this issue for related bugs.