I'm new to passportand passport-samland I'm trying to create a Node.js server that uses our Shibboleth University Identity Provider for single sign-on. I'm pretty close to getting this to work, but I get confused during / login / callback, which I think is related to the encryption configuration.
I can redirect the client to the login page and after successful registration IdP returns POST to my route / login / callback . Then I get this error:
Error: Invalid signature at SAML.validatePostResponse (.../node_modules/passport-saml/lib/passport-saml/saml.js:357:21) at Strategy.authenticate (.../node_modules/passport-saml/lib/passport-saml/strategy.js:68:18) at ...etc...
It looks like maybe the certificate that I pass to the configuration certis incorrect? I assume that the configuration parameters decryptionPvkand cert, which are supposed to be the private key that I used to create my server certificate, and the HTTPS certificate of the identity provider, respectively? Or should they be something else?
I use modern versions of node and all the various modules (express, passport, passport-saml, etc.)
And for reference, here is the server script that I use to test all of this:
"use strict;"
var https = require('https');
var fs = require('fs');
var express = require("express");
var morgan = require('morgan');
var bodyParser = require('body-parser');
var cookieParser = require('cookie-parser');
var session = require('express-session');
var passport = require('passport');
var saml = require('passport-saml');
var cert = fs.readFileSync('./certs/my-server-https-cert.crt', 'utf-8');
var pvk = fs.readFileSync('./certs/my-server-private.key', 'utf-8');
var uwIdpCert = fs.readFileSync('./certs/our-idp-server-https-cert.pem', 'utf-8');
passport.serializeUser(function(user, done){
done(null, user);
});
passport.deserializeUser(function(user, done){
done(null, user);
});
var samlStrategy = new saml.Strategy({
callbackUrl: 'https://my-domain-name.whatever.edu/login/callback',
entryPoint: 'https://my-university/idp/entry/point',
issuer: 'my-entity-id (domain name registered with university IdP)',
decryptionPvk: pvk,
cert: uwIdpCert
}, function(profile, done){
console.log('Profile: %j', profile);
return done(null, profile);
});
passport.use(samlStrategy);
var app = express();
app.use(morgan('dev'));
app.use(bodyParser.urlencoded({extended: true}));
app.use(cookieParser());
app.use(session({secret: fs.readFileSync('./certs/session-secret.txt', 'utf-8')}));
app.use(passport.initialize());
app.use(passport.session());
app.get('/',
passport.authenticate('saml', {failureRedirect: '/login/fail'}),
function(req, res) {
res.send('Hello World!');
}
);
app.post('/login/callback',
passport.authenticate('saml', { failureRedirect: '/login/fail', failureFlash: true }),
function(req, res) {
res.redirect('/');
}
);
app.get('/login/fail',
function(req, res) {
res.send(401, 'Login failed');
}
);
app.get('/Shibboleth.sso/Metadata',
function(req, res) {
res.type('application/xml');
res.send(200, samlStrategy.generateServiceProviderMetadata(cert));
}
);
app.use(function(err, req, res, next){
console.log('Express error!');
console.error(err.stack);
next(err);
});
var server = https.createServer({
key: pvk,
cert: cert
}, app);
server.listen(process.argv[2] || 44300, function(){
console.log('Listening on port %d', server.address().port)
});
Any help or advice would be most appreciated!