npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

saml2-oidc-bridge

v1.0.4

Published

A bridge from Saml2 systems to log into OIDC systems

Downloads

26

Readme

saml2-oidc-bridge

A server the allows OIDC applications to work with SAML identity providers.

Diagram of the SAML2-OIDC-Bridge serving as an intermediary between an OIDC Client and a SAML Auth server

Setup

See the setup tutorial for a more in-depth description of setting up the server.

Step 1: Download the library

npm install -g saml2-oidc-bridge

Step 2: Proxy Configuration

If you plan to deploy with nginx, follow the configuration listed below. This guide does not detail setting up SSL, but it is suggested to do so as most SAML providers will not work without SSL.

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;

Step 3: Generate Keys

Four keys must be generated for this project. They can all be saved to separate files. This solution uses OpenSSL, so be sure that is installed first.

SAML Client Public and Private Key

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout saml-client-key.pem -out saml-client-cert.pem

This should generate two files. saml-client-key.pem (the private key) and saml-client-cert.pem (the public key).

SAML IDP Public Keys

Each SAML IDP must have a public key. To find the public key for a particular SAML IDP, look for the <ds:X509Certificate> tag. We'll call this file saml-idp-key.crt.

OIDC JWKS

JSON Web Key Sets can be here. Once you generate the key, select the center value labeled "Public and Private Keypair Set". We'll call this file oidc-jwks.json

Step 4: Deploy Redis

Deploy a redis server that is accessible from your machine.

Step 5: Configuration

Create a json file and fill it with a configuration like the one below. We'll call it config.json.

{
  "baseUrl": "https://saml2-oidc-bridge.com",
  "port": "3000",
  "saml": {
    "privateKey": "./saml-client-key.pem",
    "cert": "./saml-client-cert.pem",
    "idps": [
      {
        "name": "example-saml-idp",
        "displayName": "Example SAML IDP",
        "sso_login_url": "https://example-saml-idp.com/login",
        "sso_logout_url": "https://example-saml-idp.com/logout",
        "certificates": "saml-idp-key.crt"
      },
    ]
  },
  "oidc": {
    "clients": [
      {
        "client_id": "some-client-id",
        "client_secret": "client-secret",
        "redirect_uris": [
          "https://oidcdebugger.com/debug"
        ],
        "allowedOrigins": [
          "https://oidcdebugger.com"
        ],
        "token_endpoint_auth_method": "none"
      }
    ],
    "cookieKeys": ["secret", "keys"],
    "jwks": "./oidc-jwks.json"
  },
  "redis": {
    "port": 6379,
    "host": "127.0.0.1",
    "prefix": "oidc:"
  }
}
  • baseUrl: The URL you will deploy the bridge at
  • port: The port the server should listen at
  • saml: SAML configurations. The saml2-oidc-bridge is treated as a SAML client for IDPs
    • saml.privateKey: The private key generated in the previous step
    • saml.cert: The cert (public key) generated in the previous step
    • idps: A list of SAML IDPs this bridge should serve
      • saml.idps[*].name: A url-safe name for the idp. This will eventually be used to tell the saml2-oidc-bridge which idp it should try to login to.
      • saml.idps[*].displayName: A plain english name for the IDP. This will be used in a UI that lets the user select the IDP they want to login to.
      • saml.idps[*].sso_login_url: The login URL for the IDP. This can be found in the IDP metadata in the location field for the SingleSignOnService tag with a binding of urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. (<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example-saml-idp.com/login" />)
      • saml.idps[*].sso_logout_url: The logout URL for the IDP. This can be found in the IDP metadata in the location field for the SingleLogoutService tag with a binding of urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. (<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example-saml-idp.com/logout" />)
      • saml.idps[*].certificates: A list of certificates retrieved for the IDP metadata in the previous step.
  • oidc: OIDC configurations. The saml2-oidc-bridge is treated as an IDP for OIDC clients
    • oidc.clients: A list of all the clients that can authenticate with this IDP. For the most part, this follows client configuration in node-oidc-provider.
      • oidc.clients[*].client_id: The client idp for the client
      • oidc.clients[*].client_secret: The client secret used in the client credentials flow
      • oidc.clients[*].redirect_uris: Valid redirect uris for the client
      • oidc.clients[*].allowedOrigins: Allowed origins for the client when making AJAX requests
      • oidc.clients[*].token_enpoint_auth_method: The autentication method for the token endpoint
    • oidc.cookieKeys: A list of randomized strings to be used for the session cookies
    • jwks: The route to the jwks generated in the previous step
  • redis: Configuration for the redis instance
    • redis.port: Redis port
    • redis.host: Redis host
    • redis.prefix: A prefix that will be used for all keys stored in the redis instance

Step 6: Run the sever

Assuming all files are in the same folder, you can run the server by running

saml2-oidc-bridge start -c config.json

Using the bridge

Once the bridge is deployed and configured, OIDC-compatible applications can send requests to log in with configured SAML services. Note a few caveats:

  • OIDC requests MUST use PKCE.
  • The profile scope can be provided in addition to the openid scope if you want an ID Token with some profile information. Note that all profile information under OIDC cannot be provided as there is an insufficient overlap between OIDC and SAML.
  • A provider query parameter can be added. This will cause the saml2-oidc-bridge to skip the provider selection UI and go directly to the specified provider. The value of the provider param corresponds to the configuration at saml.idps[*].name.

An example request could look like:

https://saml.dcconsortium.org/auth?
  client_id=some-client-id&
  redirect_uri=https%3A%2F%2Foidcdebugger.com%2Fdebug&
  scope=openid%20profile&
  response_type=code&
  response_mode=form_post&
  code_challenge_method=S256&
  code_challenge=_UxY46vb_MnzT4OACEZS18ptTRMknEvGg2OfgT5V-IA&
  state=iben3lqhdg&nonce=uxx9q08zxu&
  provider=example-saml-idp

Liscense

MIT