Configure nodejs as SP with passport-saml and OpenAM as IDP
I deployed OpenAM and created a hosted IDP. Then I want to set up NodeJ as a service provider and implement SSO using passport-saml. For this I have to register my node.js app as a remote service provider.
- OpenAM deployment URL - http: // ndcdr001s: 8081 / OpenAM-12.0.0
- The NodeJS Application Deployment URL is http: //ndcui.local: 9000 /
I have two questions:
To register a NodeJs app as a remote service provider, I have to tell the OpenAM URL where the metadata is located. How can I get metadata using passport-saml?
How do I configure passport-saml to work with OpenAM?
source to share
I configured passport-saml like this:
return new SamlStrategy(
entryPoint: "http://ndcdr001s:8081/OpenAM-12.0.0/saml2/jsp/idpSSOInit.jsp?"
+ "metaAlias=/idp"
+ "&spEntityID=http://ndcui.local:9000/metadata/",
callbackUrl: 'http://ndcui.local:9000/login/callback/',
logoutUrl: "http://ndcdr001s:8081/OpenAM-12.0.0/saml2/jsp/idpSingleLogoutInit.jsp?"
+ "binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ "&RelayState=http://ndcui.local:9000/saml/logout/callback",
issuer: 'http://ndcui.local:9000/'
function (profile, done) {
return done(null,
// displayName:,
// firstName: profile.givenName,
// lastName:,
sessionIndex: profile.sessionIndex,
saml: {
nameID: profile.nameID,
nameIDFormat: profile.nameIDFormat,
Then I registered " http: //ndcui.local: 9000 / metadata / " as an SP in OpenAM.
I created the metadata for the SP manually as follows: and put " http: //ndcui.local: 9000 / metadata / " under this link .
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="" entityID="http://ndcui.local:9000/metadata/">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://ndcui.local:9000/logout" Response_Location="http://ndcui.local:9000/saml/logout/callback"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://ndcui.local:9000/login/callback" index="0"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="http://ndcui.local:9000/login/callback" index="1"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://ndcui.local:9000/login/callback" index="2"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="http://ndcui.local:9000/login/callback" index="3"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser" Location="http://ndcui.local:9000/login/callback" index="4"/>
<ContactPerson contactType="technical">
And my routes:
app.get('/metadata', function (req, res) {
//Send custom metadata
res.sendfile(__dirname + "/metadata.xml");
app.get("/login", passport.authenticate('saml',
successRedirect: "/",
failureRedirect: "/login",
);'/login/callback', passport.authenticate('saml',
failureRedirect: '/',
failureFlash: true
function (req, res) {
app.get('/logout', auth.requiresLogin, function (req, res) {
req.user.nameID = req.user.saml.nameID;
req.user.nameIDFormat = req.user.saml.nameIDFormat;
samlStrategy.logout(req, function (err, request) {
if (!err) {
app.get('/saml/logout/callback', auth.requiresLogin, function (req, res) {
//Logout user
Link to full implementation (you want google to translate the page)
source to share
If your SP does not contain metadata, you can generate metadata with the ssoadm create-metadata-templ command , which should create a nice metadata template for you that you should customize as needed.
source to share