How to do Single Sign-Out SAML using passport-saml npm package?

2
votes

The application using single sign on flow in Azure AD using the npm package passport-saml.

Application built in nodejs express framework.

passport saml Configuration looks like this snippet:

filename - config.js

passport: {
    strategy: 'saml',
    saml: {
        path: process.env.SAML_PATH ,
        entryPoint: process.env.SAML_ENTRY_POINT || 'https://login.microsoftonline.com/tenant/saml2',
        issuer: 'app id',
        cert: process.env.SAML_CERT,
        callbackUrl: "https://application_url/login/callback",
        logoutUrl: 'https://login.microsoftonline.com/tenant/saml2',
    }
}

In the above config entry point & logoutUrl is same.

Code snippet for express app which consumes passport SAML strategy to connect Azure AD.

filename - connect.js:

const SamlStrategy = require('passport-saml').Strategy;
const config = require('./config.js');

app.use(passport.initialize())
passport.serializeUser((user, done) => {
        done(null, user);
    });
passport.deserializeUser((user, done) => {
        done(null, user);
    });

passport.use(new SamlStrategy(config.passport.saml,
function (req, token, refreshToken, profile, done) {
    
}
))

/*express app router*/

app.get("/login", (req, res, next) => {
     passport.authenticate(config.passport.strategy, { failureRedirect: "/" })(req, res, next);
})

app.post('/login/callback', (req, res, next)=> {
 /*processing logic after the successful auth from Azure AD SAML*/
})

Up to this point it's possible to do SAML auth in Azure AD and received the login callback as well. Note: Login callback properly configured in Redirect URI's of Azure AD application.

Moving on, having a problem in performing logout on an express app router.

LogoutUrl is configured in Azure AD application settings Azure logout-url screenshot

Whenever app hits movelogout route and it needs to logout Azure Ad session. How it's possible to issue a logout request to Azure AD inside this route using passport-saml strategy?

Code continues filename: connect.js

  app.get('/movelogout', (req, res, next)=> {
    //How to issue logout request ?
      
 })

/*Callback for successful logout in Azure AD*/
app.post('/logout', (req, res, next) => {
     //Do post logout operation
})

In the nutshell, I have been trying to accomplish Azure Single sign out SAML protocol using passport-saml. The link having SAML logout request and it's not having explanation in javascript way of issuing SAML request.

I am not quite sure with relation between logoutUrl in config & front-end logout Url in Azure setting.

Any suggestions or solutions to perform Azure AD session logout manually are much appreciated!

1
node.jsazure-active-directorypassport.jssaml-2.0passport-saml

1 Answers

0
votes

//How to issue logout request ?

Passport manifest a logout() function on req , that can be called from any route handler which needs to terminate a login session. Invoking logout() will also remove the req.user property and clear the login session (if any). You can try adding following cmd to Logout in your connect.js file

app.get('/logout', function(req, res){
  req.logout();
  res.redirect('/');
});

Or,

app.get('/logout', function (req, res) {
    req.session.destroy();
    req.logout();
    res.redirect('/');
});

relation between logoutUrl in config & front-end logout Url in Azure setting.

Based on this MS DOC No front channel Logout URL is needed while registering the application in Node.js.

enter image description here

For more information please refer the below links:-

.Microsoft Azure Active Directory Passport.js Plug-In | Git-Hub .

.Logging out of Azure Passport authentication Node js | SO THREAD .