node.js authentication saml service-provider idp

How to create a SAML IDP that authenticates with an API from scratch

Right now I'm rolled in a project where we want to create an SAML IDP with Node.

Problem: We have a system that implements an API REST and this API authenticates users, its response has the information of the authenticated user... just as an API response (nothing about SAML). The point is to aggregate the responses from the API in a SAML IDP system, where some SAML requests (XML) arrive from Service Providers. The SAML IDP system internally queries the API, gets the authentication information, and responds as a SAML Response (XML) to the Service Provider. I was looking for easy solutions for this problem like Okta, OneLogin, but the problem is that those companies authenticate the user and the one who authenticates in my system is the API, I can't change that because the project was defined as that.

My question is:

Do you know about a system that provides SAML configurations but authenticates with an external API?
We are using samlify Node Library to attack this problem, do you have information about the performance of this library?
Do you have any idea how to solve this problem easily?
We are planning to deploy with lambdas is this a good practice for this kind of problem?

I'm not an expert about SAML so if you have documents about creating a SAML IDP or any help would be useful.

Thank you for reading and sorry for my English.

Solution

Do you know about a system that provides SAML configurations but authenticates with an external API?

First, you have to remember that SAML is a protocol; it's the language that a service provider may choose to speak to the identity provider. The task of validating user credentials and authenticating a user is entirely separate from the protocol. An SP may choose to send a SAML authentication request to an IdP, and the IdP is free to authenticate the user however it sees fit. The two usually have nothing to do with each other.

Second, there are plenty of IdPs that allow you to:

Turn on the SAML2 functionality so the IdP can speak the SAML2 protocol.
Validate user credentials using a custom REST API. The IdP would reach out to your API to validate the credentials it receives from the user, and would the finally produce a SAML2 response back to the SP.

An example of such an IdP would be: https://github.com/apereo/cas. It allows you to have it act as a SAML2 IdP and supports a REST API for user authentication.

While it may not 100% fit your use case OOTB, it's a good starting point. You should never begin from scratch and re-invent the wheel. To "create a SAML IDP that authenticates with an API from scratch" is generally a good way of asking for a lifetime of punishment.

PS Your other questions should likely be posted as separate posts/questions.