This is an example of a simple SAML Service Provider using Auth0 as an IDP. After logging into the Service Provider it allows the end user to use OIDC silent authentication to get an access_token
which can be used to fetch the user profile and call their own API.
-
Go to Clients tab in the Auth0 Dashboard and create a new client
-
Make a note of the
client_id
of the client -
Click on Addons and enable SAML2 Web App
-
Set the Application Callback URL to:
http://sp.myapp.local:5000/assert
-
Under Settings add:
{ "audience": "http://sp.myapp.local/metadata.xml", "recipient": "http://sp.myapp.local/assert", "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "nameIdentifierProbes": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" ], "signatureAlgorithm": "rsa-sha256" }
and save the settings
-
Under Connnections enable
Username-Password-Authentication
as a connection for the client -
Under the SAML2 Web App addon go to Usage and download the IDP certificate for your account
-
Go back to the Client's Settings tab and add the following to the Allowed Callback URLs:
http://sp.myapp.local:5000/silentauth-callback
-
Then add the following to the Allowed Logout URLs:
http://sp.myapp.local:5000/
-
Create a new API with following settings
- Identifier :
urn:gateway:api
- Allow Skipping User Consent: true
- Signing Algorithm: RS256
- Scopes:
read:foo
- Identifier :
-
Add the following scope to the API:
- Name:
read:foo
- Description:
Read your foo
- Name:
-
Clone this repo
-
Copy the IDP certificate file you downloaded under Auth0 IDP Setup Step 7 to the root folder of the app and rename it to
idp.pem
-
Add a hosts file entry into your computer:
127.0.0.1 sp.myapp.local
-
Run the following command to install all the dependencies:
npm install
-
Create a local
.env
file with the following values:SP_DOMAIN=sp.myapp.local AUTH0_DOMAIN=your-account.auth0.com AUTH0_CLIENT_ID=client_id-from-step-2 API_AUDIENCE=urn:gateway:api
-
Run the node application by running:
npm start
-
Open your browser and go to: http://sp.myapp.local:5000/
-
It redirects to auth0 for login and you can enter a username/password from the connection you activated for this app
-
On sign in the SAML assertion is posted to: http://sp.myapp.local:5000/assert
-
On this page you can click on the button and get a token for your API