req.user is undefined after passing ADFS

[shanlau]

I have set up an ADFS server for testing.
My code can integrate with my ADFS server and Success status code returned in saml Response. It looks good.

I can find the below attribute statement in the saml Response, which shows the name of my login account

<AttributeStatement>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
             <AttributeValue>XXXXX</AttributeValue>
      </Attribute>
</AttributeStatement>

I have included this attribute name in the saml strategy under passport.js

var fs = require("fs"),
  passport = require("passport"),
  SamlStrategy = require("passport-saml").Strategy;

passport.serializeUser(function (user, done) {
  done(null, user);
});

passport.deserializeUser(function (user, done) {
  done(null, user);
});

passport.use(
  new SamlStrategy(
    {
      entryPoint: "https://myadfs.com/adfs/ls/",
      issuer: "https://localhost:3000",
      callbackUrl: "https://localhost:3000/saml",
      privateKey: fs.readFileSync("./key_cert/my.key", "utf-8"),
      cert: fs.readFileSync("./key_cert/idp.crt", "utf-8"),
      authnContext: [
        "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password",
      ],
      acceptedClockSkewMs: -1,
      identifierFormat: null,
      signatureAlgorithm: "sha256",
      racComparison: "exact", 
    },
    function (profile, done) {
      return done(null, {
        name: profile["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"],
      });
    }
  )
);

module.exports = passport;

Here is my code

  var passport = require('passport');
  var express = require('express');
  const sessions = require('express-session');
  const https = require('https');
  const fs = require('fs');
  const oneDay = 1000 * 60 * 60 * 24;

  var key = fs.readFileSync(__dirname + "\\key_cert\\my.key");
  var cert = fs.readFileSync(__dirname + "\\key_cert\\my.cert");
  var options = {
    key: key,
    cert: cert
  };

  var app = express();
  require('./config/passport.js');

  app.use(sessions({
    secret: "XXXXXXXXXXX",
    saveUninitialized:true,
    cookie: { maxAge: oneDay },
    resave: false 
}));

  app.use(passport.initialize());
  app.use(passport.session());

  app.get('/login',
    passport.authenticate('saml', { failureRedirect: '/', failureFlash: true }),
    function(req, res) {
      res.redirect('https://localhost:3000');
    }
  );
  app.post('/saml',(req, res) => {
    console.log(req.user);
    res.send('Pass ADFS');
  });

  app.get('/', (req, res) => {
    res.send('Hello World!')
  })

  var server = https.createServer(options, app);
  server.listen(3000);

It shows Pass ADFS in the browser but undefined in the console. May I know what I miss in the code? How to get the attribute returned by ADFS?

[cjbarth]

It would be nice if I knew the versions you were working with.

Try console.log(JSON.stringify(profile)) in your signon validator and see what is there. That will probably provide all the clues you need to get the data you need.

[shanlau]

Thanks for the comment, Here is the package version I used.
express-session@1.17.3
express@4.18.1
passport-saml@3.2.1
passport@0.6.0

I have added the console.log as below. But it is strange that no output for that. Does it mean that the authentication fail so that the signon validator is not executed?

    function (profile, done) {
      console.log("profile");
      console.log(JSON.stringify(profile));
      return done(null, {
        name: profile["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"],
      });
    }

My console output:

C:\Users\xxxx\nodejs>node run.js
req.user
undefined

[srd90]

@shanlau it seems that your assertion consuming endpoint is

…
     callbackUrl: "https://localhost:3000/saml",
…

but your ACS implementation is not actually consuming anything (i.e. it does not handle AuthResponse from IdP):

…
app.post('/saml',(req, res) => {
   console.log(req.user);
   res.send('Pass ADFS');
 });
…

---

As a random side note: your configuration is yet another ADFS related config which has copy pasted acceptedClockSkewMs: -1 e.g. from /docs/adfs/README.md@ v3.2.1 or from some other random examples from internet without verifying whats being configured. Your have setup upper limit for session cookie but you accept replaying authnresponse forever (i.e. authenticated session can be re-established with authnresponse replay attack). And since you haven't enabled audience check either read e.g. from this comment #137 (comment) how your service's authentication can be bypassed.

[shanlau]

I have updated passport configuration by removing the acceptedClockSkewMs and adding audience.

Do you mean I should call the passport.authenticate in the /saml endpoint to handle AuthResponse as /adfs/postResponse does in the adfs README.md. I have tried this way but I found that it will keep sending the AuthnRequest to the server repeatedly until the server reject it.

[srd90]

Do you mean I should call the passport.authenticate in the /saml endpoint to handle AuthResponse as /adfs/postResponse does in the adfs README.md

Yes. You must process AuthnResponse and based on your code sample your ACS is /saml (i.e. you might have configured/provisioned that to ADFS as ACS).

---

You mentioned at #703 (reply in thread) that your passport version is 0.6.0 and passport-saml version is 3.2.1. Are you aware that support for passport 0.6.0 is available at the moment only at @node-saml/passport-saml version >= 4.0.0-beta.1 (note: starting from 4.x passport-saml is scoped to @node-saml)? I.e. #698 modification is not available at the moment at versions <= 3.x.

---

I would suggest that

1. introduce proper ACS endpoint
2. test whether your implementation works with passport 0.5.x and passport-saml 3.2.1

If it still doesn't work then some SAML tracer plugin logs could help others to see whats going on. If you choose to share those logs make sure that you do not share actual content (substance) of assertions or anything else sensitive information including but not limited to base64 encoded values of those sensitive contents.

[shanlau]

I have changed the passport version from 0.6.0 to 0.5.2 and also the code of my ACS endpoint as below

  app.post('/saml',
    passport.authenticate('saml', { failureRedirect: '/', failureFlash: true }),
    function(req, res)  {
      console.log("req.user");
      console.log(req.user);
      res.send('Pass ADFS');
    }
  );

And the result is that it will keep sending AuthnRequest and receiving Response repeatedly and nothing shown in the console

Finally I figure out the problem is that I miss app.use(bodyParser.json()); to parse the SAML Response...req.user return value now!

Thank you for all the comments!

(btw, i can't find any logout endpoint in the adfs Readme.md, may I know how to send the LogoutRequest to adfs?)

[srd90]

(btw, i can't find any logout endpoint in the adfs Readme.md, may I know how to send the LogoutRequest to adfs?)

@shanlau about your question about SAML logout (although that would be a matter of another thread / it is already discussed in various passport-saml issues/discussions/various pull request comments).

( see also this: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-out-saml-protocol )

With SAML 2.0 logout you have two scenarios:

1. Your application initiates SLO
2. Your application is one of the SSO session participants and some other application initiates SLO

About scenario 1:

You must first terminate local session and then send LogoutRequest to IdP. I.e. if you provide some /logout link for user implementation might look something like this (I did not test this. Consider it to be pseudo-code ):

app.get('/logout', function(req, res) {
    samlStrategy.logout(req, function(err, logoutRequestUrl) {
        // first terminate local session
        req.logout();
        // then - if you use redirect binding from IdP to send LogoutRequest - trigger
        // actual LogoutRequest (which is encoded as query parameter)
        res.redirect(logoutRequestUrl);
    });
});

NOTE: your req.user must have certain values available see user.* from this:

passport-saml/src/node-saml/saml.ts

Lines 366 to 406 in 6ba76ba

	async _generateLogoutRequest(user: Profile) {
	const id = "_" + this._generateUniqueID();
	const instant = this.generateInstant();
	const request = {
	"samlp:LogoutRequest": {
	"@xmlns:samlp": "urn:oasis:names:tc:SAML:2.0:protocol",
	"@xmlns:saml": "urn:oasis:names:tc:SAML:2.0:assertion",
	"@ID": id,
	"@Version": "2.0",
	"@IssueInstant": instant,
	"@Destination": this.options.logoutUrl,
	"saml:Issuer": {
	"@xmlns:saml": "urn:oasis:names:tc:SAML:2.0:assertion",
	"#text": this.options.issuer,
	},
	"saml:NameID": {
	"@Format": user!.nameIDFormat,
	"#text": user!.nameID,
	},
	},
	} as LogoutRequestXML;
	if (user!.nameQualifier != null) {
	request["samlp:LogoutRequest"]["saml:NameID"]["@NameQualifier"] = user!.nameQualifier;
	}
	if (user!.spNameQualifier != null) {
	request["samlp:LogoutRequest"]["saml:NameID"]["@SPNameQualifier"] = user!.spNameQualifier;
	}
	if (user!.sessionIndex) {
	request["samlp:LogoutRequest"]["saml2p:SessionIndex"] = {
	"@xmlns:saml2p": "urn:oasis:names:tc:SAML:2.0:protocol",
	"#text": user!.sessionIndex,
	};
	}
	await this.cacheProvider.saveAsync(id, instant);
	return buildXmlBuilderObject(request, false);
	}

Once your IdP has terminated SSO session and propagated (and got answers to propagated logouts) from other session participants your application shall receive result of SLO in LogoutResponse message which is sent to your application's logout callback handler (NOTE: user's local session was terminated prior to SLO so you must not expect to have authenticated user available during LogoutResponse handling).

Scenario 2:

Your application is one of the session participants in SSO but some other application triggers SLO.

Your application shall receive LogoutRequest message to logout callback handler. Your application must terminate session and send result of session termination in LogoutResponse message back to IdP. You must not report success if you were not absolutely sure that session was actually terminated.

You might ask how to handle received LogoutRequest. Answer would be "well...that depends". Read more about your choices/possibilities/threats etc. e.g. from these links:

• passport-saml's IdP initiated LogoutRequest handling doesn't always close sessions #419
• IdP-initiated SLO #221 (comment)

---

Just a rhetorical question: why don't you just redirect from ACS endpoint to some landing page instead of returning response body to AuthnResponse post request? i.e. something like this:

  app.post('/saml',
    passport.authenticate('saml', { failureRedirect: '/', failureFlash: true }),
    function(req, res)  {
      res.redirect('.... blabla.../secure');
    }
  );

  app.get('/secure', ..... .... );

[ShanLauCnR]

Yes, sure The ACS should then redirect user to other page instead of returning response body in real case. It is just a testing code for me to learn integrating with ADFS so I use response send instead of redirection

Thank you for yr detailed explanation!