4

I'm implementing a SAML based SSO with nodejs using express and passport-saml for GSuite. I'm able to configure the first part and get passport-saml to redirect me to the google login page. But I'm stuck regarding the ACS url and identity ID that gsuite ask me to finish the configuration. So when I log myself on the google login page I end up with a 503 from google. I think I kinda understand how SAML works but I working with it for the first time so I may be totally wrong.

After a lot of research I came across this answer but I'm not sure that I understand it well. It says that I can use the same urls that I set up for the path and callback parameters for passport

Here is how my passport configuration look like:

 passport.use(                                                                                                                                                                                                                           
  new SamlStrategy(                                                                                                                                                                                                                        
    {                                                                                                                                                                                                                                      
      protocol: "https://",                                                                                                                                                                                                                 
      path: "/auth/saml/callback",                                                                                                                                                                                    
      entryPoint: "https://accounts.google.com/o/saml2/idp?idpid=XXXXXX",                                                                                                                                                               
      issuer: "https://accounts.google.com/o/saml2?idpid=XXXXXX",                                                                                                                                                                       
      cert: fs                                                                                                                                                                                                                             
        .readFileSync("./cert.pem", "utf-8")                                                                                                                                                                                               
        .replace("-----BEGIN CERTIFICATE-----", "")                                                                                                                                                                                        
        .replace("-----END CERTIFICATE-----", "")                                                                                                                                                                                          
        .replace(/\n$/, "")                                                                                                                                                                                                                
    },                                                                                                                                                                                                                                     
    function(profile, done) {                                                                                                                                                                                                                                                                                                                                                                                                                     
      done(null, {                                                                                                                                                                                                                         
        email: profile.email,                                                                                                                                                                                                              
        name: profile.name                                                                                                                                                                                                                 
      });                                                                                                                                                                                                                                  
    }                                                                                                                                                                                                                                      
  )                                                                                                                                                                                                                                        
);

And here how my passport related routes are configured: 

app.post(
  "/auth/saml/callback",
  passport.authenticate("saml", {
    failureRedirect: "/error",
    failureFlash: true
  }),
  function(req, res) {
    res.redirect("/logged");
  }
);

app.get(
  "/login/saml",
  passport.authenticate("saml", {
    failureRedirect: "/login/saml"
  }),
  function(req, res) {
    res.redirect("/");
  }
);

/login/saml is a route that I use to dispatch which configuration I want to use with passport since I'm using MultiSamlStrategy, I didn't put it in the passport intentionally.

Can someone explain me what do I need to set for the ACS url and Entity ID in Gsuite ? I think understood that the ACS url must return an XML with my service information, but I can't understand how to generate it.

Thanks

BPC
  • 96
  • 1
  • 8

1 Answers1

2

The entityID identifies the SP (your app) to the IdP (GSuite). Generally the IdP uses the entityID to find the SP's SAML metadata. The Attribute Consumer Service (ACS) URL will be in the SP's metadata. This is how it should work. You generally cannot give an IdP an ACS and get the SAML Response back as it's a security hole. I haven't used the GSuite IdP but I presume you tell the configuration the ACS url?

From the passport docs, entryPoint is the login endpoint at the IdP. The IdP already knows its entityID so you shouldn't need it:

entryPoint: "https://accounts.google.com/o/saml2/idp

issuer is where your entityID goes:

issuer: "YOUR_ENTITYID"

according to your config, your ACS is:

"/auth/saml/callback"

so you'll need the route:

app.post('/auth/saml/callback',
  bodyParser.urlencoded({ extended: false }),
  passport.authenticate('saml', { failureRedirect: '/', failureFlash: true }),
  function(req, res) {
    res.redirect('/');
  }
);

remembering that issuer is your entityID.

So to summarise:

Can someone explain me what do I need to set for the ACS url and Entity ID in Gsuite ? ACS url is the fully qualified url to:

/auth/saml/callback

and entityID (issuer) is whatever you called it in your metadata. It's generally a URI such as:

https://your.app/saml/sp
codebrane
  • 4,290
  • 2
  • 18
  • 27