Setup Node Application
Alvarez, Dyana I
d.alvarez2 at miami.edu
Mon Jul 10 10:00:12 EDT 2017
Hi Greg,
I would like to set up a meeting with you and Julie, Liz and myself to go over certain items we need to clarify regarding the email attribute.
Please send me your availability and I will send the invite.
Thank you,
Dyana Alvarez, M.Sc.
Sr. Programmer
E-mail: d.alvarez2 at miami.edu<mailto:d.alvarez2 at miami.edu>
Phone: (305) 284-3521
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of rhys.bower at alumni.ubc.ca
Sent: Friday, July 07, 2017 12:44 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Setup Node Application
Hi Greg,
Thanks for all of the info and sorry for the slow reply. I think I’ll take a closer look at saml2-js.
Thanks,
Rhys
On Jul 4, 2017, at 7:53 PM, Greg Haverkamp <gahaverkamp at lbl.gov<mailto:gahaverkamp at lbl.gov>> wrote:
On Tue, Jul 4, 2017 at 10:49 AM rhys.bower at alumni.ubc.ca<mailto:rhys.bower at alumni.ubc.ca> <rhys.bower at alumni.ubc.ca<mailto:rhys.bower at alumni.ubc.ca>> wrote:
I’m working on setting up a Node and Express application. There are a few different options I am investigating.
We do all of our (identity and access management) custom development in Node, so we've done it a few times.
First, placing Apache in front of Node/Express and handling the authentication there.
Typically, we use Apache and Shibboleth. For sessions, we've used Passport with a simple strategy to create a session by checking headers,
after which Passport sessions are used. It's fine, but it's proving more difficult as we start pushing our Node apps to central Docker container hosts. We multiplex everything through our BigIP load balancers, which dispatch the traffic to the appropriate location, one of which is an Apache reverse proxy.
Second, using a Node SAML plugin such as express-saml2 or saml2-js.
Does anyone have experience setting up this stack and have thoughts on which one (or another option) would be the best in terms of ease of setup and maintainability?
We tried Passport-SAML. I wasn't impressed with it. In particular, we needed to federate with Cirrus for social integration, and without moving to their IdP proxy, it wouldn't have worked without creating a separate handler and strategy for each SP.
In my most recent application, I decided to give saml2-js a try. We're just in testing, but so far, so good. It's pretty simple to drop in place, has worked with everything I've dropped in place, and since this particular application needs a lot of flexibility in authentication-time options -- it's providing integration with our new OpenID Connect provider and needs to be able to trigger different actions based on the OIDC prompts -- and so far, so good.
I haven't spent as much time as I perhaps should trying to figure out how rigorously they've implemented everything, so I'll leave that as a caveat. The other thing is that unless you use one of the other modules that encapsulates it, saml2-js will require you to manage your own sessions. (I use the Mozilla client-sessions for that.)
Greg
Thanks,
Rhys
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170710/0533b34e/attachment.html>
More information about the users
mailing list