Send the SAMLRequest as a query param.

[github-anis-snoussi]

Hi 👋,
I'm using passport-saml v3.2.1 in a Nestjs v7.6.18 project with the MultiSamlStrategy to login each user using his own IdP.

@Injectable()
export class SamlStrategy extends PassportStrategy(MultiSamlStrategy, 'saml') {
  constructor(private readonly authSamlSettingService: AuthSamlSettingService) {
    super(
      {
        passReqToCallback: true,
        getSamlOptions: async (request: Request, callback: SamlOptionsCallback) => {
          const userId = userId;
          const authSamlSetting = await authSamlSettingService.findOne(userId);
          return callback(null, {
            entryPoint: authSamlSetting.entrypoint,
            issuer: authSamlSetting.issuer,
            cert: authSamlSetting.certificate,
            authnRequestBinding: 'HTTP-POST',
          });
        },
      },
      (request: Request, profile: Profile, done: VerifiedCallback) => {
        done(null, profile);
      },
    );
  }
}

This works fine with IdPs like Okta and OneLogin where my Nestjs app redirects the user to the IdP, but when testing with Azure AD, the authentication fails because azure expects a SAMLRequest as a query param when redirecting from my app.

I was wondering if this is something already taken care of by passport-saml, because the closest thing I can come up with is manually adding the base64 encoded request using additionalAuthorizeParams in the above code.

Thanks !

[cjbarth]

We have code that does that already and the setups I've worked with have no problem doing this out of the box.

[github-anis-snoussi]

Thanks for the answer, but I intercepted the the requests using Burp proxy, and I can clearly see that no SAMLRequest is being added as query param from the Nest app.
Here's the request from the SP to the IdP :

And this is the error shown in Azure AD :

[cjbarth]

Why don't you just look at the inspection tab in your browser and see what request it is making. I can't see the entire flow of requests. However, I assure you, it does work. So there must be a configuration issue at play here.

[github-anis-snoussi]

Looking at the requests being made, I can see that passport-saml is ignoring the authnRequestBinding: 'HTTP-POST' for some reason, and it's directly redirecting to the IdP entrypoint (instead of returning an html form).
And you are correct, this could be a configuration issue, so I will keep investigating and close the discussion when I find the issue in case someone runs into the same issue.

[github-anis-snoussi]

Found the issue 😅, it had nothing to do with passport-saml.
The SP initiated authentication was not working because the frontend was manually doing a HTTP redirect using the IdP entrypoint instead of relying on passport-saml to do it, totally my bad 😅.