Thursday, February 18, 2016

Node : Federating with ADFS via WS-Fed

First read Node : Setting up the SSL certificates for Express.

The standard authentication mechanism for Node.js is passport.

Searching in the site for "WS-Fed" shows no hits.

Searching for "SAML" shows three:
The only one that supports WS-Fed is the second one. This is developed by Auth0 who work a lot in this space.

There is also this one : AzureAD/passport-azure-ad.

This supports WS-Fed, SAML and OpenIDConnect / OAuth 2.0. It's developed by Microsoft. Unfortunately, it was developed on Express 3 whereas the latest download is Express 4. A lot has changed and this release does not currently work on Express 4.

So we'll go with the second one

A Gist of the code is here.

On the ADFS side, we need a RP. There's no metadata so do it manually.


The identifier "urn:node:wsfedapp" matches the realm in the code.

The thumbprint in the code is the thumbprint of the ADFS signing certificate.

Set "identityProviderUrl" to your ADFS URL.


Set the callback URL:

https://localhost:3000/login/callback 

Normal claims rules:


Run up the code in the command prompt and then you'll see:

C:\...>node ws-fed-auth0
Server started at port 3000


Browse to:

https://localhost:3000/

and you'll see:

hello world 

Browse to:

https://localhost:3000/secure

and you'll be redirected to ADFS, authenticate and then you'll see:

you have access to secured resources

If you look in the command prompt, you'll see the Profile displayed:

 C:...\Node.js>node ws-fed-auth0
Server started at port 3000
{ sessionIndex: undefined,
  'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname': 'Joe',
  'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname': 'Bloggs',
  'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'joeb@abc.com',
  'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Joe Bloggs',
  issuer: 'http://my-adfs/adfs/services/trust',
  email: 'joeb@abc.com' }
In Serializer
In DeSerializer


Enjoy!

No comments: