hapi-saml-auth

This plugin for HAPI implements Single Sign On in your app using SAML protocol

Notes

It is based on @node-saml/node-saml library

The plugin registers a 'SAML' auth strategy in your HAPI server, it also creates two routes:

• [GET]/login : This route redirects client to the configured IdP
• [POST]/callback : This route handle IdP callback and verifies the SAML response. In case of success a JWT token is forged and set as cookie in the response

Usage

Install the plugin in your project and register it in your Hapi server.

The plugin options are:

• samlConfig [required]: The configuration object passed to @node-saml/node-saml. More information in the @node-saml/node-saml documentation
• jwt [Required]: An object with a 'secret' property. Its value is used to sign the JWT token.
• cookie [optional]: An object with a 'name' property. Its value is used as the cookie name to send the JWT back to the client. Default value is 'auth-cookie'
• utilities [optional]: An object with a 'profileTransformation' property. Its value is a function which takes the SAML profile as parameter and return an object used as the payload of the JWT.

To authenticate the client against the IdP, call the /login route, it will redirect the client to the IdP endpoint. When the IdP redirects the client to the /callback route on your server, the SAML response will be verified and transformed with the 'profileTransformation' method. The resulting object will be used to generate a JWT (sent back as a cookie to the client), then the client is redirected to the '/' route of your server.

Another auth strategy should be used to protect your server's routes, consider using the @hapi/jwt for that purpose (this plugin already use it to generate the JWT token).