node.js用saml2连接Identity Provider服务器完成Azure AD/Active Directory域帐号身份认证

Azure Active Directory提供无缝单一登录，介绍如下：

https://learn.microsoft.com/zh-cn/azure/active-directory/hybrid/how-to-connect-sso-quick-start

网站可通过 saml2 或 oauth2 协议，通过Windows域帐号登陆网站应用:

1. 首先网络管理员可在identity provider创建一个新的idp帐号,

比如某个创建好的信息帐号如下：

Entity id : urn:saml2:yourentityname:youtentitytag
ACS or Sign end point: https://your.sso.doamin.com/logincallback

Metadata URL: https://login.id.server/openam/saml2/jsp/exportmetadata.jsp?entityid=urn:your:company:sso:id:s:latest:2031&realm=/company

IDP Initiated url: https://login.id.server.com/openam/saml2/jsp/idpSSOInit.jsp?metaAlias=/company/idpid10x&spEntityID=urn:saml2:yourentityname:youtentitytag

其中 Metadata URL 中定义了 X509Certificate 证书，如下所示

 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="urn:pwc:cert:preferredmail:s:latest:2031" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:x509qry="urn:oasis:names:tc:SAML:metadata:X509:query" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
 <KeyDescriptor use="signing">
 <ds:KeyInfo>
 <ds:X509Data>
 <ds:X509Certificate>
 ################################## YOUR CERTIFICATE TOKEN ##################################
 </ds:X509Certificate>
 </ds:X509Data>
 </ds:KeyInfo>
 </KeyDescriptor>

node.js创建saml2登陆的代码如下，将上文中的

entryPoint: 填入 IDP Initiated url
cert: 填入 Meta url 中的 X509Certificate
path: 填入 callback url

 
const strategy = new Strategy(Object.assign({
 protocol: "https",
 path: "/logincallback",
 entryPoint: "https://your.saml2.sso.init.url",
 cert: "**NEED TO OVERRDIE**",
}, CONFIG.IDENTITY), (profile: any, done: any) => {
 done(null, profile)
})

passport.use(strategy)

passport.serializeUser(function(user: any, done) {
 done(null, user.nameID);
})

passport.deserializeUser(function(id: string, done) {
 done(null, { id })
})

app.use(passport.initialize())
app.use(passport.session())

app.get('/login',
 passport.authenticate('saml', {
 failureRedirect: '/',
 failureFlash: true
 }),
 function (req, res) {
 res.redirect('/dashboard/')
 }
)

app.post('/logincallback',
 passport.authenticate('saml', {
 failureRedirect: "/",
 failureFlash: true,
 }),
 function (req, res) {
 req.session.user = { username: req.session.passport.user }
 res.redirect("/dashboard/")
 }
)

此时如果ID server配置正确，可通过访问 https://your.domain.com/login 通过域帐号登录入系统