I would like to secure a loopback based app using SAML2.0 and OneLogin. I believe I should use the loopback-component-passport and passport-saml modules in order to achieve my goal. However I'm really struggling to find any good documentation that could help me to implement my use case. Seems like the provided sample is outdated and not so accurate. Would you have any useful pointers or advice that'd help me to get started.
Thanks
SAML authentication in Loopback is poorly documented, but supported. Reading the source code of passport-configurator tells us that the following configuration of providers.json will work:
"saml": {
"name": "saml",
"authScheme" : "saml",
"module": "passport-saml",
"callbackURL": "",
"entryPoint": "",
"issuer": "",
"audience": "",
"certPath": "",
"privateCertPath": "",
"decryptionPvkPath": "",
...
}
Here the ellipsis indicates any additional options from the passport-saml provider. Note that no special processing is performed on these options; so, for instance, you will need to pass certPath, privateCertPath, etc. as strings rather than paths to files.
See how passport is configured using these properties here.
So, I don't think there is a clear explanation in Loopback's docs about this, so what I would do is try to figure out how to configure the SAML provider in the prviders.json correctly in order to generate the right passport auth strategy (In your case, you should follow the passport-saml docs to figure out the exact parameters you need to pass).
Loopback is using the loopback-component-passport module to read the provider and create the Passport strategies. You can dig into this file to figure out how exactly they are doing it.
