passport-saml requires session support (session auth) — Is it possible to do with JWT auth instead?

[dangtony98]

Thanks for this awesome module!

I've been implementing passport-saml for our codebase and stumbled upon an error after successfully integrating with Okta SAML 2.0:

backend | Error: Login sessions require session support. Did you forget to use `express-session` middleware?
backend |     at SessionManager.logIn (/app/node_modules/passport/lib/sessionmanager.js:21:33)
backend |     at IncomingMessage.req.login.req.logIn (/app/node_modules/passport/lib/http/request.js:39:26)
backend |     at MultiSamlStrategy.strategy.success (/app/node_modules/passport/lib/middleware/authenticate.js:256:13)
backend |     at verified (/app/node_modules/@node-saml/passport-saml/src/strategy.ts:149:16)
backend |     at MultiSamlStrategy._signonVerify (/app/src/utils/auth.ts:187:9)
backend |     at validateCallback (/app/node_modules/@node-saml/passport-saml/src/strategy.ts:153:17)
backend |     at processTicksAndRejections (node:internal/process/task_queues:96:5)

It seems that passport-saml requires session support which my project doesn't currently have (we use JWT authentication instead). There seems to be two options:

1. Get passport-saml to work with JWT authentication.
2. Convert existing code we have to support sessions.

Personally, I'm hoping that it would be possible to pursue the first option above that is after successful authentication, we can issue a JWT token back to the user.

It'd be amazing if you could help recommend a solution here!

To Reproduce

1. Set up passport-saml with Okta SAML 2.0 and create the MultiSamlStrategy as below.

passport.use('saml', new MultiSamlStrategy(
    {
      passReqToCallback: true,
      getSamlOptions: async function(req, done) {
          const { organizationId } = req.params;
          const samlConfig = ({
            path,
            entryPoint,
            issuer,
            cert,
            audience
          });

          done(null, samlConfig);
      },
    },
    function(req, profile, done) {
      // Find or create user in your database based on the profile data returned from Okta
      console.log(profile)
      done(null, profile);
    }
  ));

2. After pressing on the login tile in Okta, console.log(profile) does indeed print but then this error is received:

backend | Error: Login sessions require session support. Did you forget to use `express-session` middleware?
backend |     at SessionManager.logIn (/app/node_modules/passport/lib/sessionmanager.js:21:33)
backend |     at IncomingMessage.req.login.req.logIn (/app/node_modules/passport/lib/http/request.js:39:26)
backend |     at MultiSamlStrategy.strategy.success (/app/node_modules/passport/lib/middleware/authenticate.js:256:13)
backend |     at verified (/app/node_modules/@node-saml/passport-saml/src/strategy.ts:149:16)
backend |     at MultiSamlStrategy._signonVerify (/app/src/utils/auth.ts:187:9)
backend |     at validateCallback (/app/node_modules/@node-saml/passport-saml/src/strategy.ts:153:17)
backend |     at processTicksAndRejections (node:internal/process/task_queues:96:5)

Expected behavior
Be able to continue with JWT authentication approach.

• Node.js version: v18.12.1
• passport-saml version: 4.0.4

[cjbarth]

passport-saml doesn't require sessions. You just have to make sure that you have things set up correctly to restore the user upon successful login from whatever is contained in your JWT.

[cjbarth]

I don't feel like I have enough of your code to make a recommendation, however, you can look at the source code of passport-saml to follow what it is doing. You'll see that the error is thrown by the Express framework, so you might need to discuss it there. I know you can use a JWT without express-session as I've done it before. You just have to make sure that you are serializeUser and deserializeUser correctly from your JWT. In that way, Express won't have to do it for you using a Session store.

[dangtony98]

Never mind I got it to work with serialize and deserialize.

Thank you!

[cjbarth]

Glad to hear it. Please mark this discussion as answered.

[dangtony98]

Actually false alert... It didn't work — Will keep this discussion going.

@cjbarth Would you happen to have any public examples of it working without express-session?

[cjbarth]

The examples I have are all private code, so no, I don't. What problems are you experiencing. Can you share your flow or anything? What made you think that serialize and deserialize were working and then not?

[srd90]

@dangtony98 if I understood correctly you

1. want to keep using JWT but
2. use SAML to authenticate user against some IdP before issuing JWT (and keep using JWT after that) and
3. you hoped that you could utilize passport along with passort-saml's (Multi)SamlStrategy to perform SAML specific signalling?

passport-saml does not require session. Such requirement might come from e.g. passport. passport makes following statements about sessions:

1. https://github.com/jaredhanson/passport/tree/v0.6.0#sessions
2. https://github.com/jaredhanson/passport/tree/v0.6.0#middleware

   ... If your application uses persistent login sessions (recommended, but not required), passport.session() middleware must also be used. ...

3. https://www.passportjs.org/concepts/authentication/sessions/
4. https://www.passportjs.org/concepts/authentication/login/

   ...
   Note: passport.authenticate() middleware invokes req.login() automatically. This function is primarily used when users sign up, during which req.login() can be invoked to automatically log in the newly registered user.

So based on aforementioned links there is a chance that passport might be configured not use sessions.

Furthermore if we link your stacktrace to codebases we can see that passport-saml is not involved in decision whether express-session or similar is required (but at the same time we find out that passport's codebase seems to contain support for not using sessions...see comments after linked stacktrace):

backend | Error: Login sessions require session support. Did you forget to use express-session middleware?
backend | at SessionManager.logIn (/app/node_modules/passport/lib/sessionmanager.js:21:33)
backend | at IncomingMessage.req.login.req.logIn (/app/node_modules/passport/lib/http/request.js:39:26)
backend | at MultiSamlStrategy.strategy.success (/app/node_modules/passport/lib/middleware/authenticate.js:256:13)
backend | at verified (/app/node_modules/@node-saml/passport-saml/src/strategy.ts:149:16)
backend | at MultiSamlStrategy._signonVerify (/app/src/utils/auth.ts:187:9)
backend | at validateCallback (/app/node_modules/@node-saml/passport-saml/src/strategy.ts:153:17)
backend | at processTicksAndRejections (node:internal/process/task_queues:96:5)

Most interesting part is this (few lines before passport/lib/http/request.js:39): https://github.com/jaredhanson/passport/blob/v0.6.0/lib/http/request.js#L32-L39
i.e. it seems that passport is checking value of options.session whether it should delegate to session manager (which requires express-session or similar. And optionsis same what was passed to authenticate method as value of option.

Internet search with passport without session (and similar) keywords provided among other hits these:

1. https://stackoverflow.com/a/49486083
2. passport.js throws login session error after upgrading from 0.4.1 to 0.6.0 jaredhanson/passport#939 (comment)

so without any further ado: have you tried to use session: false as one of the values passed to strategy's authenticate method?

If that does not work and since you have not used passport previously you have always possiblity to implement SAML stuff e.g. by using @node-saml/node-saml or with samlify

BTW. pay attention to single logout. If your Idp/deployment/application require single logout functionality (SLO) you are in a bit of a trouble even if you use @node-saml/passport-saml (because it doesn't have full ssupport for it) (see #419)

[srd90]

@dangtony98 I accidentally submitted/posted aforementioned answer candidate before it was finished. So notification that you might have received to your email box contained only few lines from the beginning of it. I have now posted finished version of answer candidate.