Google SAML

[Crispy1975]

Does passport-saml support Google SAML?

[springuper]

+1

[abelosorio]

Yes. It does.

passport.use(new SamlStrategy(
  {
    path: process.env.REACT_APP_SAML_PATH,
    entryPoint: process.env.REACT_APP_SAML_ENTRYPOINT,
    issuer: process.env.REACT_APP_SAML_ISSUER,
    cert: process.env.REACT_APP_SAML_CERT,
    identifierFormat: 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
    protocol: 'https://'
  },
  function(profile, done) {
    return done(null, {
      id: profile.uid,
      email: profile.email,
      displayName: profile.cn,
      firstName: profile.givenName,
      lastName: profile.sn
    });
  })
);

And (in app.js):

// @see https://github.com/bergie/passport-saml#provide-the-authentication-callback
app.get('/auth/sso-login', passport.authenticate(
  process.env.REACT_APP_PASSPORT_STRATEGY,
  {
    successRedirect: '/',
    failureRedirect: '/auth/login',
    failureFlash: true
  }
));

app.post(
  process.env.REACT_APP_SAML_PATH,
  passport.authenticate(
    process.env.REACT_APP_PASSPORT_STRATEGY,
    {
      failureRedirect: '/',
      failureFlash: true
    }
  ),
  (req, res) => {
    res.redirect('/');
  }
);

I've used passport, passport-saml, express-session, cookie-parser and body-parser.

Let me know if you need a hand.

[aby040]

@abelosorio Have you tried fetching user groups as part of the SAML response from google? I was able to add custom field to users which can be added in 'Attribute Mapping' section, but I could not find a way to fetch the groups the user belongs to (member-of)!

[abelosorio]

Hi @aby040!

No, I haven't done that. Sadly I'm not longer part of the project where I used Google SAML.

Sorry man, I cannot help this time :(

[ChakrapaniKulkarni]

How to extract the user profile from the samlstrategy callback.. we want to show the logged in user's name, email,..etc.. Any idea?

[FossPrime]

Yes. It does.

#501

Does failureRedirect get handled by the idp? With google if the user is only logged in with their personal account, we get a dead end 403 error page, our redirect is ignored. I know there is a passport-saml fork that handles this well with a googleAuth: true parameter.

• https://stackoverflow.com/questions/58223843/google-saml-sso-403-app-not-configured-for-user-error-when-signed-into-persona
• https://stackoverflow.com/questions/48806629/google-saml-app-not-configured-for-user-equivalent-of-prompt-select-account-sa

[cjbarth]

Do you know which fork? It would be nice to have that fork contribute back to this project if at all possible.

[FossPrime]

@cjbarth it's old https://github.com/DmtrPn/passport-saml

DmtrPn@4487ed6

He took a tailor-made brute force approach to the problem... It would be more helpful to have a more general solution that might be useful even outside of Google... Like Microsoft, and foreign niche IDPs like GMX, Line etc or other edge cases, perhaps automated testing or staging and contractor accounts.

[cjbarth]

I'm not sure what problems Google, Instagram, Twitter or others are facing using passport-saml, so I can't really say what is a good general solution. If you're interested in working on that, I'd be happy to help with guidance and code review.

[markstos]

If you are using Google for identity, I would suggest using Google's OAuth option if possible. SAML continues to have security issues related to XML parsing. OAuth uses JSON and seems fewer security issues. I realize some service providers only support SAML, which is too bad.

[cjbarth]

For completeness, OAuth has its own set of issues; never treat security as a slam-dunk, bolt-on, or drop-in. When it comes to XML parsing issues, it is very hard to exploit because that would mean that a private key of the IdP was leaked or you aren't using signing. If the key is leaked, then you have bigger problems, if you aren't signing, turn it on.

[markstos]

@cjbarth fair points. My bias against XML colors my perspective.