ADFS SAML Login with Express and passport-saml

Michael Ho
3 min readSep 4, 2021

Recently I have had an internal project in my company that needs to use ADFS for Authz. I never tried to use ADFS SAML Login before. This story is to log my findings plus POC so far…


I mainly use Express and passport-saml to connect to the ADFS server in our company.

I also refer to the passport-saml doc in GitHub too.

Setup Express project

Before start, create the node project first. Create a folder (express-passport-saml-poc in my case) and init with the command: yarn init

Next, Import the required packages.

# install the express framework, passport with passport-saml
yarn add express passport passport-saml

You should get the package.json file. Open it and append the scripts section for the start command. The final result should look like this:

Setup ADFS metadata and cert

Next, create the required certificate and metadata XML for ADFS and our Express app.

Follow the instruction in

Download the scripts for creating the files.

Run the to create the metadata file and cert and key files for ADFS.

# Run the script to create the corresponding xml and key pair, in this POC, I use localhost as the domain and our ADFS server has rule to have SSL setup for service providers.
# ./ <your domain> <your saml login callback url>
./ https://localhost:3000 https://localhost:3000/adfs/saml

If it is successfully run, the output should be following:

Run the to get the ADFS cert.

# bash ./ (your_adfs_server_url) > adfs_cert.crt
bash ./ > adfs_cert.crt

Now you should get four files, put the following into your projects (files/) to continue setup.

  • https_localhost_3000.key
  • https_localhost_3000.cert
  • adfs_cert.crt

Create the index.js

Create the config/passport.js file for the passport-saml setup.

Run yarn start to start the server.

Setup ADFS Relying Party Trust

My company is using Windows Server 2016. Copy the metadata XML to the server. Open AD FS Management tool. Click Add Relying Party Trust.

Import the metadata XML.

Enter the Relying Party Trust name.

Click Next for the remaining tabs.

Next, create the Claim Issuance Policy. Click Add Rule

Choose “Send LDAP Attribute as Claims”.

Add the attributes and select Active Directory as the attribute store and click Finish.

Click Apply.

The ADFS setup should be done.


Navigate to the https://localhost:3000/login

It should redirect you to the ADFS login page.

After successful login, you should be redirected back https://localhost:3000/adfs/saml/postResponse

For debug, you may use saml tracer to trace the call.