Node.js中的Passport-Saml策略实现 [英] passport-saml strategy implementaion in nodejs

问题描述

我正在使用 passport-saml 进行身份验证.为此，我已经安装了

I am using passport-saml for authentication. For this I have installed

npm install passport passport-saml --save

我已经使用此博客 Auth0 创建了IDP.

And I have created my IDP using this blog Auth0.

初始化护照和确定的saml策略

Initialized passport and defined saml strategy

app.use(passport.initialize());

passport.use(new passportSaml.Strategy(
        {
            path: "/login/callback",
            entryPoint: "https://qpp1.auth0.com/samlp/bZVOM5KQmhyir5xEYhLHGRAQglks2AIp",
            issuer: "passport-saml",
            // Identity Provider's public key
            cert: fs.readFileSync("./src/cert/idp_cert.pem", "utf8"),
        },
        (profile, done) => {
            console.log("Profile : ",profile);
            let user = new Profile({ id: profile["nameID"], userName: profile["http://schemas.auth0.com/nickname"] });
            return done(null, user);
        }
    ));

这是路线

app.get("/login",
    passport.authenticate("saml", (err, profile) => {
        // control will not come here ????   
        console.log("Profile : ", profile);
    })
);
app.post("/login/callback",
         (req, res, next) => {
            passport.authenticate("saml", { session: false }, (err, user) => {
                req.user = user;
                next();
            })(req, res, next);
         },
         RouteHandler.sendResponse
);

现在一切正常，但我有一些疑问

Now this is working fine but I have some questions

1) issuer 在saml策略中是什么意思

1) What does issuer mean in saml strategy

2)为什么我需要在两个URL映射中使用 passport.authenticate .我不明白为什么/login/callback 请求中需要它.我什至没有通过 passport.authenticate 方法传递的/login 请求函数进行控制?

2) Why I need to use passport.authenticate in two URL mappings. I don't understand why it is required in /login/callback request. And even control will not come to /login request's function that I have passed in passport.authenticate method?

这背后的逻辑是什么?这在任何情况下有用吗?

What is the logic behind this? Is this useful in any scenario?

推荐答案

我们正在完成一个多租户的护照saml实现.通过我们的研究，测试和开发周期，我们发现了以下内容:

We're just finishing up a multi-tenant passport-saml implementation. Through our research, test, and development cycle we have found the following:

1. 发出者"似乎映射到SAML中的EntityID请求/响应断言.
2. GET/login上的身份验证为您提供了SP发起的流程能力.AuthNRequest将被发送到IdP.用户将验证(或已经验证)，IdP将回调到断言使用者服务终结点.在您的案例POST/login/callback进行身份验证.开机自检/login/callback端点是由IdP启动的SAML流.

要了解如何与我们的应用程序集成，我们从ACS回调仅由IdP启动的流程开始.我们与之整合的第一个客户取得了成功.但是，他们提出的第一个问题是，对于SP发起的流程，我们应该使用哪个URL?:-)之后，我能够使SP启动的流程正常工作.

To learn how to integrate with our application, we started with just IdP-initiated flow with the ACS callback. Our very first customer which we integrated with was successful. However, the very first question they asked was, what URL should we use for SP-initiated flow? :-) I was able to get the SP-initiated flow working soon after.

我已经使用Salesforce开发人员和SSO Circle作为测试IDP对其进行了测试.

I've tested this using both Salesforce developer and SSO Circle as test IdPs.

希望这会有所帮助.

这篇关于Node.js中的Passport-Saml策略实现的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！