ADFS SAML Login with Express and passport-saml
Recently I have had an internal project in my company that needs to use ADFS for Authz. I never tried to use ADFS SAML Login before. This story is to log my findings plus POC so far…
I mainly use Express and passport-saml to connect to the ADFS server in our company.
I also refer to the passport-saml doc in GitHub too.
Setup Express project
Before start, create the node project first. Create a folder (express-passport-saml-poc in my case) and init with the command:
Next, Import the required packages.
# install the express framework, passport with passport-saml
yarn add express passport passport-saml
You should get the
package.json file. Open it and append the scripts section for the start command. The final result should look like this:
Setup ADFS metadata and cert
Next, create the required certificate and metadata XML for ADFS and our Express app.
Follow the instruction in https://github.com/node-saml/passport-saml/tree/master/docs/adfs
Download the scripts for creating the files.
Run the mellon_create_metadata.sh to create the metadata file and cert and key files for ADFS.
# Run the script to create the corresponding xml and key pair, in this POC, I use localhost as the domain and our ADFS server has rule to have SSL setup for service providers.
# ./mellon_create_metadata.sh <your domain> <your saml login callback url>
./mellon_create_metadata.sh https://localhost:3000 https://localhost:3000/adfs/saml
If it is successfully run, the output should be following:
Run the retrieve_adfs_certificate.sh to get the ADFS cert.
# bash ./retrieve_adfs_certificate.sh (your_adfs_server_url) > adfs_cert.crt
bash ./retrieve_adfs_certificate.sh https://sample-adfs.com > adfs_cert.crt
Now you should get four files, put the following into your projects (files/) to continue setup.
Create the index.js
Create the config/passport.js file for the passport-saml setup.
yarn start to start the server.
Setup ADFS Relying Party Trust
My company is using Windows Server 2016. Copy the metadata XML to the server. Open AD FS Management tool. Click Add Relying Party Trust.
Import the metadata XML.
Enter the Relying Party Trust name.
Click Next for the remaining tabs.
Next, create the Claim Issuance Policy. Click Add Rule
Choose “Send LDAP Attribute as Claims”.
Add the attributes and select Active Directory as the attribute store and click Finish.
The ADFS setup should be done.
Navigate to the https://localhost:3000/login
It should redirect you to the ADFS login page.
After successful login, you should be redirected back https://localhost:3000/adfs/saml/postResponse
For debug, you may use saml tracer to trace the call.