SAML/ADFS node.js实施指南? [英] SAML/ADFS node.js implementation guide?
问题描述
我想在此之前说一下,直到现在,我什至没有听说过SAML,更不用说制定涉及它的SSO策略了.加上我几乎没有从事节点一年的工作,就构成了一个光荣的新手三明治.当前,我有一个使用SAML和ADFS作为其SSO提供程序的客户端.我已经在本地登录中使用passport.js,所以使用saml似乎是使用SAML/ADFS实施SSO的方法.在进行研究时,我发现了一些不同的实施指南,但是由于我对这个过程一无所知,因此我可以使用一些指针.
I'd like to preface this by saying that until now, I hadn't even HEARD of SAML, much less developed a SSO strategy involving it. That, combined with the fact that I've barely been doing node for a year makes for a glorious newbie sandwich. Currently, I have a client who uses SAML and ADFS as their SSO provider. I am already using passport.js for local logins, so using passport-saml seems to be the way to go to implement the SSO using SAML/ADFS. In doing my research, I've found a couple different implementation guides, but since I literally know NOTHING about this process, I could use a few pointers.
在saml护照文档中,我发现以下证明可与ADFS配合使用的策略(根据文档):
In the passport-saml documentation, I found the following for a strategy proven to work with ADFS (according to the docs):
{
entryPoint: 'https://ad.example.net/adfs/ls/',
issuer: 'https://your-app.example.net/login/callback',
callbackUrl: 'https://your-app.example.net/login/callback',
cert: 'MIICizCCAfQCCQCY8tKaMc0BMjANBgkqh ... W==',
identifierFormat: null
}
我想我的主要问题是此证书来自何处?这是我通过SSL在服务器上生成的证书吗?提供程序是否提供?
I suppose my main question is where does this cert come from? Is this a cert I generate on my server via SSL? Does the provider provide it?
在搜索中,我还发现了以下内容: https://github.com/auth0/passport-wsfed-saml2 ,该密码基于saml护照.建议对ADFS使用以下配置:
In my searching, I have also found this: https://github.com/auth0/passport-wsfed-saml2, which is based on passport-saml. The following configuration is suggested for ADFS:
{
path: '/login/callback',
realm: 'urn:node:app',
homeRealm: '', // optionally specify an identity provider
identityProviderUrl: 'https://auth10-dev.accesscontrol.windows.net/v2/wsfederation',
cert: 'MIIDFjCCAf6gAwIBAgIQDRRprj9lv5 ... ='
}
在此示例中,路径对象是显而易见的,并且我的提供程序已经给我提供了providerURL.但是境界对我来说毫无意义,而且又有该死的证书.
In this example, the path object is obvious, and my provider has already given me an providerURL. But realm makes no sense to me, and there's that darn cert again.
有人可以为我提供在node.js站点中实现SAML/ADFS SSO的像我一样五"的方式吗?还是帮助我使我概述的两个解决方案要求的参数对象成为正面还是反面?提前非常感谢!
Could someone provide me with an "explain-like-i'm-five" way of implementing SAML/ADFS SSO in a node.js site? Or help me make heads or tails of the argument objects requested by the two solutions I've outlined? Much appreciated in advance!
推荐答案
我最近经历了同样的思考过程:从未听说过 SAML ,我需要使Web应用程序能够通过SAML进行身份验证使用OneLogin作为身份提供者(而不是Active Directory).
I recently went through the same thought process: having never heard of SAML, I needed to enable a web application to authenticate via SAML with OneLogin as the identity provider (instead of Active Directory).
在实施过程中,尽管我不隶属于二者,但我还是强烈建议使用OneLogin的文档和passport-saml库.
During implementation, I made heavy use of OneLogin's documentation and the passport-saml library, both of which I recommend, though I'm not affiliated with either.
我开始意识到混乱是三方面的:
What I came to realize was that the confusion was three-fold:
(1)SAML的工作原理,
(1) how SAML works,
(2)passport-saml库在Node中的工作方式,以及
(2) how the passport-saml library works in Node, and
(3)如何配置身份提供者( OneLogin , Active Directory 或其他).接下来是我对像我一样五岁的孩子"的解释.
(3) how to configure the identity provider (OneLogin, Active Directory, or otherwise). What follows is my attempt at an "explain-like-I'm-five" explanation.
SAML
安全性声明标记语言(SAML)是一种XML标准,允许用户根据其浏览器会话进行登录.有很多东西,但是基本上,它可以简化验证过程.用户可以单击按钮,而不用提交带有用户名和密码的表单.
Security Assertion Markup Language (SAML) is an XML standard that allows users to log in based on their browser session. There's a lot to it, but basically, it enables a simpler authentication process. A user can click a button rather than submit a form with username and password.
SAML的工作方式要复杂得多.我发现OneLogin的此概述和随附的图表很有帮助:
The way SAML works is a little more involved. I found this overview from OneLogin and the accompanying diagram helpful:
该图表示以下过程:
- 用户单击一个按钮以使用SAML对给定的应用程序(有时称为服务提供商)进行身份验证.发出了(向Node或其他方式发出的)构建SAML授权请求的请求.
- 构建授权请求.此授权请求是XML(有关OneLogin的更多信息),已编码和/或加密,并且作为查询参数附加到URL.节点将浏览器重定向到该URL(类似于
- User clicks a button to authenticate for a given application (sometimes called service provider) using SAML. A request is made (to Node or otherwise) to build a SAML authorization request.
- An authorization request is constructed. This authorization request is XML (see more on OneLogin), encoded and/or encrypted, and appended to a URL as a query param. Node redirects the browser to this URL (something like https://domain.onelogin.com/trust/saml2/http-post/sso/123456?SAMLRequest=...encodedXML...).
- OneLogin, as identity provider, determines from the browser session whether the user is already logged in. If not, the user is prompted with OneLogin's login form. If so, the browser POSTs a SAML response back to the application (service provider). This SAML response (again XML) includes certain properties about the user, like NameID.
- Back in Node, the application verifies the SAML response and completes authentication.
节点和passport-saml
Node and passport-saml
Passport.js是Node的身份验证中间件.它需要一种策略,该策略可能类似于passport-local,在我们的示例中为passport-saml.
Passport.js is authentication middleware for Node. It requires a strategy, which could be something like passport-local or, in our case, passport-saml.
由于passport-local策略启用了使用用户名/密码的Passport身份验证,因此 passport-saml 该策略使用浏览器会话和可配置的身份提供者值来启用Passport身份验证.
As the passport-local strategy enables Passport authentication using username/password, the passport-saml strategy enables Passport authentication using the browser session and configurable identity provider values.
虽然passport-saml确实达到了我的目的,但其文档却难以推理.由于OpenIdp身份提供者处于非活动状态,并且有很多个可配置参数,因此该配置示例无法正常运行.
While passport-saml served my purposes really well, its docs were difficult to reason through. The configuration example doesn't work due since the OpenIdp identity provider is inactive and there are lots of configurable parameters.
我关心的主要对象:entryPoint和path(或callbackURL).我只需要这两个,即可完成以下任务:
The main one I cared about: entryPoint and path (or callbackURL). I only needed these two, which do the following:
-
entryPoint是随授权请求重定向到的URL(请参阅上面的#2). -
path/callbackURL在Node中设置将要发布的SAML响应的URL/路由(请参阅上面的#3).
entryPointis the URL to redirect to with the authorization request (see #2 above).path/callbackURLset the URL/route in Node for the SAML response to be POSTed to (see #3 above).
还有许多其他重要且有价值的参数,但是可以仅使用这两个参数来配置SAML SSO.
There's a ton of other parameters that are important and valuable, but it's possible to configure SAML SSO using just these two.
身份提供者配置
最后,需要配置身份提供者本身,以便在给定SAML授权请求的情况下,它知道将SAML响应发送到何处.对于OneLogin,这意味着设置ACS (Consumer) URL和ACS (Consumer) URL Validator,这两个都应与为samanal-saml配置的path/callbackURL匹配.
Finally, the identity provider itself needs to be configured so that, given a SAML authorization request, it knows where to send the SAML response. In the case of OneLogin, that means setting an ACS (Consumer) URL and an ACS (Consumer) URL Validator, both of which should match the path/callbackURL configured for passport-saml.
可以配置其他功能(以支持注销和其他功能),但这是进行身份验证的最低要求.
Other things can be configured (to support logout and other features), but this is the bare minimum to authenticate.
摘要
原始问题有两个部分:(1)如何实现SAML/ADFS集成,以及(2)高级SAML node.js实施指南.这个答案是第二个.
There were two parts to the original question: (1) how to implement SAML/ADFS integration and (2) high-level SAML node.js implementation guide. This answer addresses the second.
对于专门与Active Directory集成,我建议 ,请注意护照分为两部分:将Passport-saml配置为使用ADFS身份提供程序,以及将ADFS服务器配置为响应Node.
As for specifically integrating with Active Directory, I recommend passport-saml's docs on ADFS, keeping in mind that there's two parts: configuring passport-saml to use an ADFS identity provider AND configuring your ADFS server to respond back to Node.
这篇关于SAML/ADFS node.js实施指南?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
