I have created a new account in Okta saml 2.0/ shaw1.

Downloaded the cert, removed the line endings (validated that it is still valid) and added it to my environment variables.

I am getting the following error:

context: {
exception: Error: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode
at Sign.sign (internal/crypto/sig.js:103:29)
at SAML.signRequest (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:230:36)
at SAML._requestToUrlAsync (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:477:12)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at SAML.getAuthorizeUrlAsync (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:530:12)
at login-request (/www/myapp/AuthApi/node_modules/passport-saml/src/passport-saml/strategy.ts:139:29) {
library: 'PEM routines',
function: 'PEM_read_bio_ex',
reason: 'bad base64 decode',
code: 'ERR_OSSL_PEM_BAD_BASE64_DECODE'
}

export class SamlStrategy extends PassportStrategy(Strategy) {
constructor(
) {
super({
entryPoint: 'http://xxx.okta.com/app',
issuer: 'http://www.okta.com/xxx',
cert: 'cert is here',
callbackUrl: 'https://authentication-xxx.xxx.com/api/auth/saml/callback)
digestAlgorithm: 'shaw1',
signatureAlgorithm: 'shaw1',
});
}

• Node.js version: 12.22.8
• passport-saml version: 3.2.1

I am using nestjs/typescript.

Please close or delete. Not sure what changed but now appears to be working.

Problem still exists. It occurs when I try to SSO from my application. It works if I am in Okta and click on the app button to my application.

If I manually follow the configured entry point it works as expected. So the cert is correct, the entry point is correct. So it is at the very beginning of the password-saml implementation that it is failing.

@MarkusRissmann you provided following stack trace / context:

context: {
exception: Error: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode
at Sign.sign (internal/crypto/sig.js:103:29)
at SAML.signRequest (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:230:36)
at SAML._requestToUrlAsync (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:477:12)
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at SAML.getAuthorizeUrlAsync (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:530:12)
at login-request (/www/myapp/AuthApi/node_modules/passport-saml/src/passport-saml/strategy.ts:139:29) {
library: 'PEM routines',
function: 'PEM_read_bio_ex',
reason: 'bad base64 decode',
code: 'ERR_OSSL_PEM_BAD_BASE64_DECODE'
}

PEM implicates certificate or key
bad base64 decode implicates bad value
This

at Sign.sign (internal/crypto/sig.js:103:29)
at SAML.signRequest (/www/myapp/AuthApi/node_modules/passport-saml/src/node-saml/saml.ts:230:36)

i.e. this line:

My guess is that your first problem is that whatever value you have provided to privateKey it is somehow broken (i.e. not base64 encoded etc.). Put breakpoint to line 230 and see what privateKey contains.

You wrote that you have configured passport-saml with:

digestAlgorithm: 'shaw1',
signatureAlgorithm: 'shaw1',

Your second problem shall be that once you have configured proper privateKey you shall encounter some issues which are related to usage of shaw1 algorithm for digest and signature.

You probably meant sha1 (you should use stronger algorithm like sha256).

Related to your environment:

• Node.js version: 12.22.8

Third problem is that you are still using EOLed nodejs version (nodejs 12 reached end of life 30 April 2022).

Thanks much, I will review everything. Some of the items here were hand typed and not copied from code (shaw1, too many late nights). I am betting that it is the private key. I will get back to you. We are using sha256.