node.jssslsails.jssamlpassport-saml

Which files use for SAML with passport-saml


I'm trying to use SAML with node.js and passport-saml module but I don't understand which certificate/key I should use.

I have these files :

I need to set decryptionPvk, decryptionCert and privateCert

var samlStrategy = new passportSaml.Strategy({
  //--- URL that goes from the Identity Provider -> Service Provider
  callbackUrl    : 'http://mydomain/login/callback',

  //--- URL that goes from the Service Provider -> Identity Provider
  entryPoint     : 'https://auth.samlserver',

  issuer         : sails.config.passport.issuer,

  //--- Identity Provider's Public Key
  cert           : sails.config.passport.cert,

  //--- Service Provider Certificate
  privateCert    : fs.readFileSync('./certificats/mydomain.crt', 'utf-8'), // same error with IntermediateCA.crt

  //--- Service Provider private key
  decryptionPvk  : fs.readFileSync('./certificats/mydomain.key', 'utf-8'),
  logoutUrl      : 'https://auth.samlserver/logout',
  passReqToCallback : true,
},
(req, profile, done) => {
  console.log('profile :', profile);
  return done();
});

And for route /metadata (using decryptionCert) :

samlStrategy.generateServiceProviderMetadata(fs.readFileSync('./certificats/mydomain.crt', 'utf-8'))

But I have the following error message :

crypto.js:279
  var ret = this._handle.sign(toBuf(key), null, passphrase);
                         ^

Error: error:0906D06C:PEM routines:PEM_read_bio:no start line
  at Error (native)
  at Sign.sign (crypto.js:279:26)
  at [object Object].SAML.signRequest (C:\Users\mseron\Documents\dev\node\mysite\node_modules\passport-saml\lib\passport-saml\saml.js:135:34)
  at requestToUrlHelper (C:\Users\mseron\Documents\dev\node\mysite\node_modules\passport-saml\lib\passport-saml\saml.js:308:12)
  at DeflateRaw.onEnd (zlib.js:227:5)
  at emitNone (events.js:85:20)
  at DeflateRaw.emit (events.js:179:7)
  at endReadableNT (_stream_readable.js:913:12)
  at _combinedTickCallback (internal/process/next_tick.js:74:11)
  at process._tickDomainCallback (internal/process/next_tick.js:122:9)

Solution

  • Actually, with mydomain.key, the error message was

    Error: error:0906A068:PEM routines:PEM_do_header:bad password read

    I needed to use mydomain.key with its passphrase

    In node.js

    var samlStrategy = new passportSaml.Strategy({
      ...
    
      //--- Service Provider Certificate
      privateCert    : {
        key : fs.readFileSync('./certificats/mydomain.key', 'utf-8'),
        passphrase : 'strong passphrase'
      }, 
      ...
    },
    (req, profile, done) => {
      ...
    });