sso

node_modules/passport-saml/docs/adfs/README.md

@@ -0,0 +1,128 @@
+Active Directory Federation Services
+====================================
+
+This document attempts to describe a complete solution for integrating with AD FS.
+
+# Creating a self-signed certificate
+
+Create a folder to contain your keys and certificates.
+
+Download [mellon_create_metadata.sh](https://github.com/UNINETT/mod_auth_mellon/blob/master/mellon_create_metadata.sh)
+
+Create a new key, certificate and relying party XML as follows:
+
+  ./mellon_create_metadata.sh acme_tools_com https://acme_tools.com/adfs/postResponse
+
+## Retrieve AD FS Certificate
+
+Use retrieve_adfs_certificate.sh to get your AD FS server's signing certificate:
+
+  ./retrieve_adfs_certificate.sh https://adfs.acme_tools.com/ > adfs.acme_tools.com.crt
+
+# Create Relying Party
+
+Copy the `acme_tools_com.xml` to your AD FS server. Use the AD FS management relying party wizard to import this XML, creating a relying party. Create claim rules to pass authentication information to your application.
+
+This example assumes you will pass in the UPN.
+
+# Create a Passport framework
+
+Create a separate file for passport configuration (assumed to be config/passport.js).
+
+```javascript
+var
+  fs = require('fs')
+  , passport = require('passport')
+  , SamlStrategy = require('passport-saml').Strategy
+;
+
+passport.serializeUser(function(user, done) {
+  done(null, user);
+});
+passport.deserializeUser(function(user, done) {
+  done(null, user);
+});
+
+passport.use(new SamlStrategy(
+  {
+    entryPoint: 'https://adfs.acme_tools.com/adfs/ls/',
+    issuer: 'acme_tools_com',
+    callbackUrl: 'https://acme_tools.com/adfs/postResponse',
+    privateCert: fs.readFileSync('/path/to/acme_tools_com.key', 'utf-8'),
+    cert: fs.readFileSync('/path/to/adfs.acme_tools.com.crt', 'utf-8'),
+  // other authn contexts are available e.g. windows single sign-on
+    authnContext: 'http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password',
+  // not sure if this is necessary?
+    acceptedClockSkewMs: -1,
+    identifierFormat: null,
+  // this is configured under the Advanced tab in AD FS relying party
+    signatureAlgorithm: 'sha256',
+    racComparison: 'exact', // default to exact RequestedAuthnContext Comparison Type
+  },
+  function(profile, done) {
+    return done(null,
+      {
+        upn: profile['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'],
+        // e.g. if you added a Group claim
+        group: profile['http://schemas.xmlsoap.org/claims/Group']
+    });
+  }
+));
+
+module.exports = passport;
+```
+
+# Express Application
+
+```javascript
+  var passport = require('passport');
+  var express = require('express');
+  ... etc.
+
+  var app = express();
+  require('./config/passport.js');
+
+  ... add the usual express pro-forma
+
+  app.use(passport.initialize());
+  app.use(passport.session());
+
+  app.get('/login',
+    passport.authenticate('saml', { failureRedirect: '/', failureFlash: true }),
+    function(req, res) {
+      res.redirect('https://acme_tools.com');
+    }
+  );
+  app.post('/adfs/postResponse',
+    passport.authenticate('saml', { failureRedirect: '/', failureFlash: true }),
+    function(req, res) {
+      res.redirect('https://acme_tools.com');
+    }
+  );
+  app.get('/secure', validUser, routes.secure);
+
+  function validUser(req, res, next) {
+    if (!req.user) {
+      res.redirect('https://acme_tools.com/login');
+    }
+    next();
+  }
+
+  var server = http.createServer(app);
+```
+# Troubleshooting
+
+## ADFS 2016
+
+If you are setting up an ADFS 2016 server, you might run into the following issue with the previous settings:
+
+```
+An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint.
+
+Verify your proxy server setting. For more information about how to verify you proxy sever setting, see the AD FS Troubleshooting Guide http://go.microsoft.com/fwlink/?LinkId=182180).
+Error message: EntityDescriptor 'acme_tools_com'. ID0014: The value 'NamelDFormat' must be an absolute URI.
+```
+
+![NamelDFormat Error Popup](./NameIDFormatError.jpg)
+
+If you remove the `identifierFormat`, it works as expected.

node_modules/passport-saml/docs/adfs/retrieve_adfs_certificate.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# Author: Tim Brody <T.D.Brody@soton.ac.uk>
+# Date: 2015-02-11
+#
+# Retrieve the signing certificate from an ADFS instance in PEM format.
+
+ADFS_SERVER=$1
+
+if [ "$#" -ne "1" ]; then
+  echo "Usage: $0 <adfs server URL>"
+  exit 1
+fi
+
+URL=$ADFS_SERVER/FederationMetadata/2007-06/FederationMetadata.xml
+TEMPFILE=$(mktemp)
+
+if [[ $(command -v wget) ]]; then
+    wget --no-check-certificate -q -O $TEMPFILE $URL
+elif [[ $(command -v curl) ]]; then
+        curl -sk $URL -o $TEMPFILE
+    else
+        echo "Neither curl or wget was found"
+        exit 127
+fi
+
+if [ $? -ne 0 ]; then
+  echo "Error requesting $URL"
+  exit 1
+fi
+
+echo "-----BEGIN CERTIFICATE-----"
+(xmllint --shell $TEMPFILE | grep -v '^/ >' | grep -v '^ ----' | fold -w 64) << EndOfScript
+setns a=urn:oasis:names:tc:SAML:2.0:metadata
+setns b=http://www.w3.org/2000/09/xmldsig#
+cat /a:EntityDescriptor/b:Signature/b:KeyInfo/b:X509Data/b:X509Certificate/text()
+EndOfScript
+echo "-----END CERTIFICATE-----"
+
+unlink $TEMPFILE

node_modules/passport-saml/docs/xml-signing-example.js

@@ -0,0 +1,41 @@
+// This will help generate signing info for test cases.
+// Simply fill in the data and run it to get <DigestValue /> and <SignatureValue />.
+
+const crypto = require('crypto')
+
+const private_key = `-----BEGIN PRIVATE KEY-----
+
+-----END PRIVATE KEY-----
+`
+
+const cert = `-----BEGIN CERTIFICATE-----
+
+-----END CERTIFICATE-----
+`
+
+const saml_message = ``
+
+const signed_info = `<SignedInfo...</SignedInfo>`
+
+const signer = crypto.createSign('RSA-SHA1');
+signer.update(signed_info);
+signer.end();
+
+const signature = signer.sign(private_key)
+const signature_b64 = signature.toString('base64')
+
+const verifier = crypto.createVerify('RSA-SHA1')
+verifier.update(signed_info)
+verifier.end()
+
+const verified = verifier.verify(cert, signature)
+
+const hash = crypto.createHash('RSA-SHA1')
+hash.update(saml_message, 'utf8')
+const digest_b64 = hash.digest('base64')
+
+console.log(JSON.stringify({
+	signature: signature_b64,
+	digest: digest_b64,
+	verified: verified,
+}, null, 2))