Hello there!

Need Help? We are right here!

miniOrange Email Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

NodeJS Single Sign-On (SSO)


NodeJS SSO (Single Sign-On) allows your users to log into NodeJS with your Identity Provider credentials. IT admins can easily manage user access activities and grant or revoke SSO access to NodeJS application. This is done using JSON Web Token (JWT) tokens and it can be easily integrated with NodeJS built in any framework or language.

In case you need our help with the integration or setup proces, feel free to reach out using this link.

Prerequisites

  • Add an Identity Provider. You can add any external IDP or directories (In case you don’t have IdP, you can use miniOrange as an Identity Provider)
  • Customizations support in NodeJS mobile app to integrate sample code for enabling SSO.

Connect with External Source of Users


miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, Azure AD, OpenLDAP, Google, AWS Cognito etc), Identity Providers (like Shibboleth, Ping, Okta, OneLogin, KeyCloak), Databases (like MySQL, Maria DB, PostgreSQL) and many more.



Follow the Step-by-Step Guide given below for Node JS Single Sign-On (SSO)

1. Set up your Identity Provider in miniOrange

We are using ADFS to show the setup.

You can directly move to Step 3 if you have already configured an IDP.

  • Login to your miniOrange dashboard. If you already don’t have an IDP configured, you can use miniOrange as your IDP.
  • Go to the Identity Provider tab and click on Add Identity Provider button.
  • Select the SAML tab.
  • NodeJS SSO (Single Sign-On): select saml tab

  • Add configuration details of your IdP with minimum required configuration parameters below:

  • IDP Name Enter Your IDP Name
    IDP Entity ID http://<YOUR_ADFS_DOMAIN>/adfs/services/trust
    SAML SSO Login URL http://<YOUR_ADFS_DOMAIN>/adfs/ls/
    X.509 Certificate Provide the ADFS signing certificate

2. Configure miniOrange settings in your Identity Provider

  • Add configuration details below which will be required by your IdP:
  • A. Service Provider Entity ID / Issuer: https://login.xecurify.com/moas

    B. Assertion Consumption Service (ACS) URL: Find SAML ACS URL option in added Identity Source.

    • Choose ACS URL For SP-Initiated SSO.
    • NodeJS SSO (Single Sign-On): sp initiated

    C. Download Metadata: This is required if you want to Download metadata. Download metadata to avoid putting the values manually.

    • Go to Identity Providers tab and find your configured IdP.
    • Click the Metadata link to view the metadata as shown in the below image.
    • NodeJS SSO (Single Sign-On): metadata

    • A new page will get opened having metadata.

    • NodeJS SSO (Single Sign-On): download metadata

    • Click on the Download Metadata link to download the metadata. mo-sp-metadata.xml file will be downloaded.

    D. Signing Certificate (Optional): This is required if you want to enable signed SAML Auth request so that IdP can verify that the contents have not been altered in transit. Download the signing certificate with the steps below.

    • Go to Identity Providers tab and find your configured IdP.
    • Click the Certificate link to download the certificate.
    • NodeJS SSO (Single Sign-On): download certificate

    E. Configure miniOrange as a relying party in ADFS:

    • Open ADFS Management console.
    • Go to Trust Relationships > Relying Party Trusts. Click Start.
    • Click on Add Relying Party Trust. Select Enter about the relying party manually. Click Next.
    • Enter Display Name. Click Next.
    • Select ADFS Profile. Click Next. Click Next again.
    • Select Enable support for the SAML 2.0 WebSSO protocol.
    • Enter the URL as https://login.xecurify.com/moas/login/broker/login/saml/acs/{YOUR_CUSTOMER_KEY} in the Relying Party URL textbox and click Next the button.
    • Enter the Relying party trust identifier as https://login.xecurify.com/moas/login
    • Click on Add. Click on Next until the last screen.
    • Check Open the Edit Claim Rules. Checkbox and click Close.
    • Click on Add Rule and select Send LDAP Attributes as Claims and Click Next.
    • Enter Claim Rule name and select Attribute Store.
    • Select Email Addresses as LDAP Attribute and Name ID as Outgoing Claim Type. Click Finish.
    • NodeJS SSO (Single Sign-On): configure miniorange as relying party

3. Configure Node JS in miniOrange

A. Add Node JS app in miniOrange:

In miniOrange dashboard, you can add JWT application with steps below:

  • Login into miniOrange Admin Console.
  • Go to Apps >> Manage Apps.
  • NodeJS SSO (Single Sign-On): manage apps

  • Click on Add Applicaton button.
  • NodeJS SSO (Single Sign-On): add app

  • In Choose Application Type click on Create App button in JWT application type.
  • NodeJS SSO (Single Sign-On): choose app type

  • In the next step, search for your application from the list, if your application is not found. Search for External / JWT App and you can set up your Application.
  • NodeJS SSO (Single Sign-On): external app

  • Configure the name for Node JS and configure Redirect-URL which tells where to send JWT response. Redirect-URL should be an endpoint on Node JS where you want to achieve SSO.
  • In case you are setting up SSO with Mobile Applications where you can’t create an endpoint for Redirect or Callback URL, use below URL. https://login.xecurify.com/moas/jwt/mobile
  • Copy Client ID of the generated application and keep it with you for next the steps.

B. Add SSO link in Node JS:

  • https://login.xecurify.com/moas/broker/login/jwt/<customer-id>?client_id=<client-id>&redirect_uri=<redirect-url>
  • You need to replace below values in URL:

    customer-id Customer ID of your miniOrange account which can be found under settings menu.Refer image below.
    client-id Client Id of JWT application created above(Step 3.a).
    redirect-url Configured Redirect URL against JWT application.
  • Get CustomerID.
  • Go to the Settings section, present on the top right corner.
  • Copy the value mentioned against Customer Key
  • NodeJS SSO (Single Sign-On): customer key

  • Copy following Sample Code for setting up the NodeJS application.
                            
    const fs = require("fs");
    const MoJWT = require("mo-jwt-connector");
    //This URL can be copied from JWT app in miniOrange dashboard
    
    const miniOrangeSSOURL =
    "https://jsdemo.xecurify.com/moas/broker/login/jwt/258267?client_id=lXN6XGc1yoh8M6Gd&redirect_uri=http://localhost:3000/auth/callback";
    // start authentication request
    app.get("/auth", (req, res, next) => {
    res.redirect(miniOrangeSSOURL);
    });
    // authentication callback
    app.get("/auth/callback", (req, res, next) => {
    var id_token = req.query.id_token;
    // var cert = fs.readFileSync("cert.crt");
    var jwtBuilder = new MoJWT.JWTBuilder();
    console.log("Parts " + id_token.split(".").length);
    jwtBuilder.parseJwt(id_token); // initialize the token using parseJwt
    jwtBuilder.setSecret(fs.readFileSync("./path/to/RSA256Cert.crt",'utf8')); // Set the certificate downloaded from miniOrange dashboard
    var verified = jwtBuilder.verifyJwt(); // Verify the signed token
    if (!verified) res.send("Error Occurred while verifying JWT Token");
    var payload = jwtBuilder.getPayload(); // If the token is valid, use getPayload to read the data from the token.
    var firstname = payload.first_name;
    var lastname = payload.last_name;
    var email = payload.email;
    res.send(
    "Email : " + email +
    "
    Firstname : " + firstname + "
    Lastname: " + lastname ); });

C. Verify JWT token and parse user details for SSO:

  • On your Callback endpoint, you can read and parse the JWT token.
  • Structure of JSON Web Token (JWT): JSON Web Tokens consist of three parts separated by dots (.), which are:
    • Header: Contains the signature algorithm name used to sign the payload.
    • Payload: Contains user attributes.
    • Signature: Signature value of the payload. eg. xxxx.yyyyyyyyyyyy.zzzzzz
  • You will need to download a certificate from App > Manage Apps and click Certificate link against your configured application. This certificate will be used for signature validation of the JWT response.
  • NodeJS SSO (Single Sign-On): certificate link

  • Verify JSON web token: Click here to verify your JSON token.

D. Perform SSO:

  • Once you have added the link above on Node JS, you can verify the NodeJS SSO setup by clicking on that link.
  • On successful authentication, you will be redirected to configured Redirect or Callback URL with JWT token.

4. Single Logout (SLO)

This is an optional step. If you want to ensure that all sessions (SP and IDP) for a user are properly closed, you can configure Single Logout with the steps below.

A. Configure miniOrange with IdP SLO endpoint:

  • Go to the Identity Provider tab and edit the configured Identity Provider.
  • Find the option Single Logout URL and configure the SLO URL provided by your IdP.
  • NodeJS SSO (Single Sign-On): single logout url

B. Configure IdP with miniOrange SLO endpoint:

  • Configure your Identity Provider with below Single logout endpoint.
    https://login.xecurify.in/moas/broker/login/saml_logout/<your-customer-id>
  • You can find the SSO Binding option to configure the logout binding type to either REDIRECT or POST.

C. Configure your JWT application with SLO endpoint:

  • Configure your JWT application with below Single logout endpoint.
    https://login.xecurify.in/moas/broker/login/jwt/logout/<your-customer-id>?redirect_uri=<redirect-url>

External References



Want To Schedule A Demo?

Request a Demo
  


Our Other Identity & Access Management Products