A Hapi plugin that wraps passport-saml for SAML SSO (as SP)
Clone or download
Latest commit 7268c6f Aug 26, 2018

README.md

hapi-passport-saml

A Hapi plugin that wraps passport-saml for SAML SSO (as SP) with support for multiple strategies

Current release

1.3.0

Install

npm install hapi-passport-saml

Configuration

Uses samlidp.io as IdP, read passport-saml for how to use options

const idpCert = '...';
const decryptionCert = '...';
const samlOptions = {
  // passport saml settings
  saml: {
    callbackUrl: 'http://localhost/api/sso/v1/assert',
    logoutCallbackUrl: 'http://localhost/api/sso/v1/notifylogout',
    logoutUrl: 'https://my-idp.samlidp.io/saml2/idp/SingleLogoutService.php',
    host: 'localhost',
    protocol: 'http',
    entryPoint: 'https://my-idp.samlidp.io/saml2/idp/SSOService.php',
    // Service Provider Private Key
    decryptionPvk: fs.readFileSync(__dirname + '/private.key').toString(),
    // IdP Public Key
    cert: idpCert,
    issuer: 'my-saml'
  },
  // hapi-passport-saml settings
  config: {
    // Service Provider Public Key
    decryptionCert,
    // Plugin Routes
    routes: {
      // SAML Metadata
      metadata: {
        path: '/api/sso/v1/metadata.xml',
      },
      // SAML Assertion
      assert: {
        path: '/api/sso/v1/assert',
      },
    },
    assertHooks: {
      // Assertion Response Hook
      // Use this to add any specific props for your business
      // or appending to existing cookie
      onResponse: (profile) => {
        const username = profile['urn:oid:2.5.4.4'];
        return { ...profile, username };
      },
    }
  }
};

const serverPlugins = [{
  register: require('hapi-passport-saml'),
  options: samlOptions,
}];

// Internal cookie settings
const schemeOpts = {
  password: '14523695874159852035.0',
  isSecure: false,
  isHttpOnly: false,
  ttl: 3600,
}
server.register(serverPlugins, function (err) {
  server.auth.strategy('single-sign-on', 'saml', schemeOpts);
  server.register(controllers, {
    routes: {
      prefix: '/api'
    }
  }, function () {
    if (!module.parent) {
      server.start(function () {
        console.log('Server started at port ' + server.info.port);
      });
    }
  });

});

Note: Internal cookie name is hapi-passport-saml-cookie, if you need to read the SAML credentials for integration with other strategies, use assertion hook.

Multiple strategies

Use hapi-passport-saml as the last strategy. Tested with try and required modes.

  • required: If successful, returns credentials, else HTTP 200 with JSON
  • try: If successful, returns credentials, else empty credentials and isAuthenticated set to false

More info: Integrating hapi cookie with hapi passport saml v1.1.0

Demo application

Demo

References, Ideas and Based from

License

MIT