A Hapi plugin that wraps passport-saml for SAML SSO (as SP) with support for multiple strategies
Version 2.0.0 is compatible with Hapi 17. For previous version, stay with 1.x.x
2.0.0
npm install hapi-passport-saml
Uses samlidp.io as IdP, read passport-saml for how to use options
const idpCert = '...';
const decryptionCert = '...';
const samlOptions = {
// passport saml settings
saml: {
callbackUrl: 'http://localhost/api/sso/v1/assert',
logoutCallbackUrl: 'http://localhost/api/sso/v1/notifylogout',
logoutUrl: 'https://my-idp.samlidp.io/saml2/idp/SingleLogoutService.php',
host: 'localhost',
protocol: 'http',
entryPoint: 'https://my-idp.samlidp.io/saml2/idp/SSOService.php',
// Service Provider Private Key
decryptionPvk: fs.readFileSync(__dirname + '/private.key').toString(),
// IdP Public Key
cert: idpCert,
issuer: 'my-saml'
},
// hapi-passport-saml settings
config: {
// Service Provider Public Key
decryptionCert,
// Plugin Routes
routes: {
// SAML Metadata
metadata: {
path: '/api/sso/v1/metadata.xml',
},
// SAML Assertion
assert: {
path: '/api/sso/v1/assert',
},
},
assertHooks: {
// Assertion Response Hook
// Use this to add any specific props for your business
// or appending to existing cookie
// or make use of the RelayState
onResponse: (profile, request, h) => {
if(request.payload.RelayState)
return h.redirect(request.payload.RelayState);
else
return h.response();
},
}
}
};
const serverPlugins = [{
register: require('hapi-passport-saml'),
options: samlOptions,
}];
// Internal cookie settings
const schemeOpts = {
password: '14523695874159852035.0',
isSecure: false,
isHttpOnly: false,
ttl: 3600,
}
server.register(serverPlugins, function (err) {
server.auth.strategy('single-sign-on', 'saml', schemeOpts);
server.register(controllers, {
routes: {
prefix: '/api'
}
}, function () {
if (!module.parent) {
server.start(function () {
console.log('Server started at port ' + server.info.port);
});
}
});
});Note: Internal cookie name is
hapi-passport-saml-cookie, if you need to read the SAML credentials for integration with other strategies, use assertion hook.
Use hapi-passport-saml as the last strategy. Tested with try and required modes.
required: If successful, returns credentials, else HTTP 200 with JSONtry: If successful, returns credentials, else empty credentials and isAuthenticated set to false
More info: Integrating hapi cookie with hapi passport saml v1.1.0
MIT
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent