Make passport-saml work with wso2 is,

[Indrani123]

I am using passport-saml nodejs module with WSO2is-5.0.0 using SAMLstragegy trying to implementt SSO, I am able to login WSO2is-5.0.0 server, using it, but when I am try to logout , my session still exist, unable to implement logout .

here my SAMLStrategy configuration:

passport.use(new SamlStrategy(
{
    path: '/AssertionConsumer',
    entryPoint: config.idpUrl,
    issuer: config.issuer,
    protocol: config.httpProtocol,
    identifierFormat : config.identifierFormat,
    logoutUrl:'/logout',
    attributeConsumingServiceIndex:1012175983,
   }, function(profile, done){

    console.log('Profile: %j', profile);
    return done(null, profile);
}
  ));

Is there any configuration I miss for wso2is-5.0.0 with passport-saml ?

This is my config data:

config.idpUrl= "https://localhost:9443/samlsso";
config.issuer = "passport-saml";
config.httpProtocol = "http://";
config.identifierFormat =  "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress";

I had checked further, starting wso2 in debug mode

log4j.logger.org.wso2.carbon.identity=DEBUG

then using a logout url in route also configure in strategy

logoutUrl:'/logout'

 router.get('/logout',passport.authenticate('saml', { failureRedirect:  '/error', failureFlash: true, samlFallback:'logout-request' }),function(req, res) {

req.logout();
res.redirect('/');

 });

now when I click further in http://localhost:9001/logout

I got this error : Error when processing the authentication request! msg in browser

so I did check in my logs found passport-saml have missing SessionIndex information in LogoutRequest

    <?xml version="1.0"?><samlp:LogoutRequest xmlns:samlp="u
      rn:oasis:names:tc:SAML:2.0:protocol"  xmlns:saml="urn:oasis:names:tc:SAML:2.0:ass
   ertion" ID="_66a8e1407de73b21ed44" Version="2.0" IssueInstant="2015-03-16T16:06:
   41.743Z" Destination="https://localhost:9443/samlsso"><saml:Issuer  xmlns:saml="u
      rn:oasis:names:tc:SAML:2.0:assertion">passport-saml</saml:Issuer><saml:NameID Fo
      rmat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml:NameID
    ></samlp:LogoutRequest>

other wise it should also contain session Index in Logout request

some thing like this for example:

    <saml2p:LogoutRequest Destination="https://identityserver:9443/samlsso"
                  ID="_a81995b837df1caceb991926e2adebe3468559fc"
                  IssueInstant="2015-01-02T22:30:57.569Z"
                   Version="2.0"
                    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">liferayserver</saml2:Issuer>
 <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
               xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">[email protected]
</saml2:NameID><saml2p:SessionIndex>8d89a03c-aebc-452f-  8ac5-035bda817ec5</saml2p:SessionIndex>
 </saml2p:LogoutRequest>

In wso2 SessionIndex is used for maintaining session, how can I get work passport-saml work with wso2?

[ploer]

Sorry, I don't have any knowledge of wso2, and don't actually use the logout functionality myself.

However, I'm pretty sure that the code doesn't currently support SessionIndexes at all. I'd definitely be willing to look at a PR to add such support.

[Indrani123]

Hi Ploer,

I checked again pasport-saml code, There is no SessionIndex, it is quite generic code for any saml requst, which is good enough,

Now for wso2 IS support:
In wso2 Identity Server while requesting using SAML AuthnRequest, you will get SessionIndex attribute in response, if we check SLO(single logout in wso2 console).
which is actually maintain session, for wso2 IS SSO feature,

if passport-saml can provide a feature for wso2 , it would be good,

for Logout Request , first require to get SessionIndex from AuthnRequest 's response, which is encoded response ,need to be decode and extract SessionIndex and then used in LogoutRequest
I try to modify saml.js generateLogoutRequest adding session Index and made work for me,

but It would be good ,if passport-saml as a feature for wso2, probably require to create different LogoutRequest Prototype function , which is not effect generic one.

Thanks,
Indrani

[whirp]

Hi,
I'm working with WSO2 and passport-saml too, but i'm having problem to retrieve assertion attribute value.

Please @Indrani123 would you please post all your code to retrieve attribute of the response?

this is my saml response xml :

<saml2p:Response Destination="https://111.111.11.111:8000/login/callback"
                 ID="lciehkmkdojnplhinnckpaiechljjekppcnegafa"
                 InResponseTo="_114cc6d242a0be28cb11"
                 IssueInstant="2015-04-10T07:56:48.503Z"
                 Version="2.0"
                 xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 >
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
                  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                  />
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion ID="gbdonehiobbjehmdgfahfnbfkimbfbbhmmcceabb"
                     IssueInstant="2015-04-10T07:56:48.505Z"
                     Version="2.0"
                     xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                     >
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" />
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">whirp</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="_114cc6d242a0be28cb11"
                                               NotOnOrAfter="2015-04-10T08:01:48.503Z"
                                               Recipient="https://111.111.11.111.190:8000/login/callback"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2015-04-10T07:56:48.505Z"
                          NotOnOrAfter="2015-04-10T08:01:48.503Z"
                          >
            <saml2:AudienceRestriction>
                <saml2:Audience>https://111.111.11.111:8000</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2015-04-10T07:56:48.514Z">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="email"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >[email protected]</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="lastname"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                             >
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                      xsi:type="xs:string"
                                      >user1</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
    </saml2:Assertion>
</saml2p:Response>

[ploer]

Merged SessionIndex support in PR #93 from @vesse, hope that helps!