passport-saml-kuleuven

This node.js web application demonstrates SSO authentication provided by KULeuven's Shibboleth Server, using the passport-saml package.

Config

This app requires 3 files to be placed in the project's root directory. These files include (1) the certificate of the Identity Provider (IdP). In this case, LULeuven's Shibboleth Server is the IdP. As a Service Provider (SP), you need to generate your own (2) certificate and (3) private key. These files are named as follows:

  1. cert_idp.pem: IdP's certificate.
  2. cert.pem: SP's certificate (generated by you)
  3. key.pem: SP's private key (generated by you)

Creating Private Key and Certificates

Generate the SP files with the following command:

  • openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 900

You must fill the CA value when asked.

You can find IdP Certificate here. At the section Identity Provider Definitions - KU Leuven / Associatie KU Leuven, copy ds:X509Certificate tag's contents into a file named cert_idp.pem. It can be a single line or divided into more lines.

Registering the Service Provider

Go to https://shib.kuleuven.be/aairr, and click on Resource Admin and Add a Resource Description.

1. Basic Resource Information

  • Home organization: KULeuven
  • Federations: check Federatie KU Leuven
  • fill Main Descriptive Name and Main Description
  • EntityID: your SP url (e.g. https://intense-hollows-60910.herokuapp.com)
  • replicate EntityID for Home URL and Helpdesk URL
  • set validity dates

3. List of Contacts

  • fill technical contact type

4. Service Locations

  • Select Default Assertion Consumer Service Binding: SAML2 HTTP-POST binding
  • Default Assertion Consumer Service URL: set the SP POST endpoint receiving the SAML response (e.g. https://intense-hollows-60910.herokuapp.com/login/callback)
  • SAML2 HTTP-POST binding: same as Default Assertion Consumer Service URL

5. Used Certificates

  • PEM formatted X.509 certificate: copy/paste the copy of the file cert.pem

6. Required Attributes

  • request for the attributes you want (e.g., Given name, Surname, uid)

Confirm the configuration, and wait for a few days for approval and propagation.

Usage

npm install
node app.js

Test

This demo just implements what above. You will be immediately redirected to KULeuven SSO, and after login you will see some data about who logged in. That's it!