We need to implement SAML based secure authentication. Our IDP will be Okta and OneLogin. For this we use "passport" + "passport-saml" in our node.js express app. We use the following strategy configuration at SP side for Okta-
var oktaLoginStrategy = {
host: 'http://localhost:3000',
path: '/login/callback',
realm: 'urn:node:app',
entryPoint: "https://dev-528399.oktapreview.com/app/builtiodev528399_oktasp1_1/exkbbi8vwj2OsHjbE0h7/sso/saml",
issuer: "http://www.okta.com/exkbbi8vwj2OsHjbE0h7",
additionalParams: {
'RelayState': "test"
},
signatureAlgorithm: 'sha256',
decryptionPvk: privateKey,
privateCert: privateKey,
cert: oktaPublicKey,
identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
};
and for OneLogin we use-
var oneLoginStrategy = {
host: 'http://localhost:3000',
path: '/login/callback',
realm: 'urn:node:app',
entryPoint: "https://flow-dev.onelogin.com/trust/saml2/http-post/sso/686218",
issuer: "https://app.onelogin.com/saml/metadata/686218",
additionalParams: {
'RelayState': "test"
},
signatureAlgorithm: 'sha256',
decryptionPvk: privateKey,
privateCert: privateKey,
cert: oneLoginPublicKey,
validateInResponseTo: true,
identifierFormat: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
};
But for Okta it is giving error as "Cannot read property 'getAttribute' of undefined" and for OneLogin it is giving error as "Invalid signature". Further, we debugged into the module and found that for Okta it breaks while finding algorithm and for OneLogin, it able to decrypt 'CipherData' but it breaks while validating the signature.
Our private key format is-
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Please help us into this.
Here the issue is from Okta SAML assertion format, we have made changes in "decryptKeyInfo" function of xml-encryption module which is used under passport-saml to find "keyEncryptionMethod" from assertion. About OneLogin it was our setup issue.