sso

config/passport.js

@@ -0,0 +1,41 @@
+let fs = require("fs"),
+  passport = require("passport"),
+  SamlStrategy = require("passport-saml").Strategy;
+passport.serializeUser(function (user, done) {
+  done(null, user);
+});
+passport.deserializeUser(function (user, done) {
+  done(null, user);
+});
+
+passport.use(
+  new SamlStrategy(
+    {
+      entryPoint: "https://sso.satitm.chula.ac.th/adfs/ls/",
+      issuer: "acme_tools_com",
+      callbackUrl: "https://sso.satitm.chula.ac.th/selfservice/activedirectory/postResponse",
+      privateKey: fs.readFileSync("adfs_connect/urn_satitm_sso_selfservice.key", "utf-8"),
+      cert: fs.readFileSync("adfs_connect/urn_satitm_sso_selfservice.cert", "utf-8"),
+      // other authn contexts are available e.g. windows single sign-on
+      // see: https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.authenticationmethods?view=netframework-4.8#fields
+      authnContext: [
+        "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password",
+      ],
+      identifierFormat: null,
+      // this is configured under the Advanced tab in AD FS relying party
+      signatureAlgorithm: "sha256",
+      racComparison: "exact", // default to exact RequestedAuthnContext Comparison Type
+      // From the metadata document
+      audience: "https://sso.satitm.chula.ac.th/FederationMetadata/2007-06/FederationMetadata.xml",
+    },
+    function (profile, done) {
+      return done(null, {
+        upn: profile["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"],
+        // e.g. if you added a Group claim
+        group: profile["http://schemas.xmlsoap.org/claims/Group"],
+      });
+    }
+  )
+);
+
+module.exports = passport;