Below is a general outline of what this example SAML Service provides:
- It's an ExpressJS app which uses Passport.js and a passport-saml strategy for SAML authentication
- It has been tested with Active Directory Federation Services 2.0 IdP via SAML 2.0, although it should work with most SAML IdPs
- Cloud apps calling
/session/login_hoston this service (and passing on a device ID or some other kind of identifier via atokenparam) will receive a URL for them to open on a Client App via an in-app browser (see example SAML Project) - After opening the login route on device, they'll get redirected to their IdP to perform a login
- After successfully authenticating, the IdP will POST a SAML assertion back to
/login/callback - Here we do a few things:
- Correspond the received SAML assertion and the user's proxy token/device ID (which we'd persisted as
req.session.token) - Persist data from the SAML assertion
- Redirect to
/login/ok- which the Client App will use to determine if authentication was successful or not (and close the in-app-browser)
- Correspond the received SAML assertion and the user's proxy token/device ID (which we'd persisted as
See the Service web front-end for more details, but you'll need to set an environment variable SAML_ENTRY_POINT to point to your IdP - you'll also want to configure trust between your IdP and this service. Use https://my_mbaas_service/login/callback for both an identifier and a callback URL for your IdP when configuring this trust.