Metadata-based configuration of SAML login code is better than configuring URLs and certificates because it ensures certificates between a ID Provider and application stay in sync. This project provides Metadata-based configuration of the passport-wsfed-saml2 strategy, though it could also be adopted to work with other platforms.
var passport = require('passport'); //auth library for expressvar WsFedSaml2Strategy= require('./node_modules/passport-wsfed-saml2/lib/passport-wsfed-saml2/index').Strategy; //WS-Federation/SAML plugin for passportvar Saml2MetadataConfiguration= require('saml2-metadata-config') //Metadata Config librarySaml2MetadataConfiguration.configure( { metadataUrl:'https://adfs.company.com/federationMetadata/2007-06/FederationMetadata.xml', realm: 'urn:your-relying-party-id, //In ADFS this is the Relying Party Identifier - a URL or URN identifying your app wreply: 'https://thisapp.company.com/login/callback' //In ADFS, the root of this path (https://thisapp.company.com) must be one of the WS-Federation endpoints}).then(function(options){ //Configure passport to use WSFED against ADFS passport.use('wsfed-saml2', new WsFedSaml2Strategy(options, function (profile, done) { //Called when the user authenticates. We could lookup a user in DB, etc. For now, just pass the profile as the user. console.log("Auth with", profile); if (!profile.email) { return done(new Error("No email found"), null); } done(null, profile); //Profile doesn't have to = user, but for simplicity we do this here. done(null,userFromDb) would also be possible })); }, function(e){ console.log(e); // throw "unable to configure using metadata"; //e; });