Skip to content

Update JHU SSO configuration to migrate from IdP4 to IdP5 #102

New issue
New issue
Open
Open
Update JHU SSO configuration to migrate from IdP4 to IdP5#102
@madooei

Description

@madooei
madooei
opened on Jul 2, 2024

There have been some changes to JHU SSO. We need to make the following updates to the code.

  1. Change the following JHU_SSO_URL value:

    uCredit-API/routes/sso.js

    Line 22 in 7ab37a1

    const JHU_SSO_URL = 'https://idp.jh.edu/idp/profile/SAML2/Redirect/SSO';

    The updated value should be

     const JHU_SSO_URL = 'https://login.jh.edu/idp/profile/SAML2/Redirect/SSO';

    Notice they have changed https://idp.jh.edu to https://login.jh.edu.

    It is better yet to store this (along with SP_NAME and BASE_URL) as environment variables so such changes would not require changing the code in the future.

  2. Add a new variable Cert where PbK and PvK variables are defined:

    uCredit-API/routes/sso.js

    Lines 17 to 20 in 7ab37a1

    const secret = process.env.SESSION_SECRET;
    const PbK = process.env.PUBLIC_KEY;
    const PvK = process.env.PRIVATE_KEY;
    const DEBUG = process.env.DEBUG === 'True';

    The Cert variable should read its value from a CERT environment variable:

    const Cert = process.env.CERT; // The IDP's public signing certificate.

  3. Add a CERT environment variable with the following value:

    -----BEGIN CERTIFICATE-----
MIIEGzCCAoOgAwIBAgIUJTtiXBcXQ01+vJXrxmI9WCM6Bz8wDQYJKoZIhvcNAQEL
BQAwFzEVMBMGA1UEAwwMbG9naW4uamguZWR1MB4XDTI0MDExMDE3MzYzMloXDTQ0
MDExMDE3MzYzMlowFzEVMBMGA1UEAwwMbG9naW4uamguZWR1MIIBojANBgkqhkiG
9w0BAQEFAAOCAY8AMIIBigKCAYEAwm+SLvs4AyRroVi06uX2ZIhJcIuWdnw5a1vJ
8uW50HOrqvhbBGB6qbcat3JM9WnwNPuK7gspSmB/GCV2s4vzGgdSwziZj53J+Mnv
8JQfmlHsW05u6atJI6q+ssy/P/KXuiL1gK6Ca6nO3msa/zVT7t//n6czvHJkUfeR
8BlFvwug3fEFXWxpORAfX99mJ/je+JiSM+M+9IVYDboISraoWKY0bgTKrvmXvqla
Fp27r+ed7UnDWGKg4TmyNgHn6fd2j1+L5A9AvOCWIjFPhsC5KFSjNMTXEmOMr2v0
YF4Cc61v0lNBweDI7cx9IRCLtlJnuHG5BvLHU+K6MjT6Q8o7+93dLBUnqY0fy9od
UsV5WZbyAANar+wDpTUSRNdrXtZbJOY0BBhGFUtyxHOkydFiq7F648blpkiDDl86
DUy+EpucTPaky9q3orVHjiDmehJwGix7vxMyWdf12qMT1e/34dBBAnbZcly9NTBE
gprygch3/JSyQgVfjCpJhD5LMhkdAgMBAAGjXzBdMB0GA1UdDgQWBBSdTEIrUneu
f2iXzxjv+XvcCuJO4jA8BgNVHREENTAzggxsb2dpbi5qaC5lZHWGI2h0dHBzOi8v
bG9naW4uamguZWR1L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBgQBc
ELRXh8jmiN/1A1Hajm51wjeepejICXRHvM3ATxwtE/Ef3jYqSOhjrRJz9V4dkn+a
5dJ/xfXp0jWFIXmtjy43Z6SNC5RK36/62N8nFOhtyy5v11ta8XFfERaAwihnmYIy
PmyKc8nR7vllegJ+pB3FiparOezCkWRK1kLR3i+o28GirIgE6ZnlCSiYgWTcl+S1
NOknYRFC5DoZwzIS4ndfCGNoeAYgS+dtyCNwD3Few5UTBqyPYKhgWMNU1mu+tTd1
bMaz4PfdWPKmHP3/1zPPHg/6LZeHx3A5cCMuhBjskGYx9f/nlAhpyiFUuWbdF1Xv
dJB+euWpl1fgSxREp3R2apfWCH4fXFLiZMOUNnh8AtBsj+4mgFtGtuybo7vQdS2X
oBZuIb1hmbRZO/g/dBl/bZmK/wqRgETw5xuicbXYAriDvazshaG+JMyfOmqVUFCl
81VZ1CNIM8/SPJI2v7MRpBH+qvvukkb5I71FKc7HndVBRzcVghME7TLJn5hykoM=
-----END CERTIFICATE-----

    Please note the line breaks must remain in the variable. I don't know how onrender.com allows you to enter environment variables. On Heroku, you can enter the value as formatted above. In other settings, like in a .env file where you cannot have new lines, you must turn this into a string where newlines are encoded as \n:

    CERT="-----BEGIN CERTIFICATE-----\nMIIEGzCCAoOgAwIBAgIUJTtiXBcXQ01+vJXrxmI9WCM6Bz8wDQYJKoZIhvcNAQEL\nBQAwFzEVMBMGA1UEAwwMbG9naW4uamguZWR1MB4XDTI0MDExMDE3MzYzMloXDTQ0\nMDExMDE3MzYzMlowFzEVMBMGA1UEAwwMbG9naW4uamguZWR1MIIBojANBgkqhkiG\n9w0BAQEFAAOCAY8AMIIBigKCAYEAwm+SLvs4AyRroVi06uX2ZIhJcIuWdnw5a1vJ\n8uW50HOrqvhbBGB6qbcat3JM9WnwNPuK7gspSmB/GCV2s4vzGgdSwziZj53J+Mnv\n8JQfmlHsW05u6atJI6q+ssy/P/KXuiL1gK6Ca6nO3msa/zVT7t//n6czvHJkUfeR\n8BlFvwug3fEFXWxpORAfX99mJ/je+JiSM+M+9IVYDboISraoWKY0bgTKrvmXvqla\nFp27r+ed7UnDWGKg4TmyNgHn6fd2j1+L5A9AvOCWIjFPhsC5KFSjNMTXEmOMr2v0\nYF4Cc61v0lNBweDI7cx9IRCLtlJnuHG5BvLHU+K6MjT6Q8o7+93dLBUnqY0fy9od\nUsV5WZbyAANar+wDpTUSRNdrXtZbJOY0BBhGFUtyxHOkydFiq7F648blpkiDDl86\nDUy+EpucTPaky9q3orVHjiDmehJwGix7vxMyWdf12qMT1e/34dBBAnbZcly9NTBE\ngprygch3/JSyQgVfjCpJhD5LMhkdAgMBAAGjXzBdMB0GA1UdDgQWBBSdTEIrUneu\nf2iXzxjv+XvcCuJO4jA8BgNVHREENTAzggxsb2dpbi5qaC5lZHWGI2h0dHBzOi8v\nbG9naW4uamguZWR1L2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBCwUAA4IBgQBc\nELRXh8jmiN/1A1Hajm51wjeepejICXRHvM3ATxwtE/Ef3jYqSOhjrRJz9V4dkn+a\n5dJ/xfXp0jWFIXmtjy43Z6SNC5RK36/62N8nFOhtyy5v11ta8XFfERaAwihnmYIy\nPmyKc8nR7vllegJ+pB3FiparOezCkWRK1kLR3i+o28GirIgE6ZnlCSiYgWTcl+S1\nNOknYRFC5DoZwzIS4ndfCGNoeAYgS+dtyCNwD3Few5UTBqyPYKhgWMNU1mu+tTd1\nbMaz4PfdWPKmHP3/1zPPHg/6LZeHx3A5cCMuhBjskGYx9f/nlAhpyiFUuWbdF1Xv\ndJB+euWpl1fgSxREp3R2apfWCH4fXFLiZMOUNnh8AtBsj+4mgFtGtuybo7vQdS2X\noBZuIb1hmbRZO/g/dBl/bZmK/wqRgETw5xuicbXYAriDvazshaG+JMyfOmqVUFCl\n81VZ1CNIM8/SPJI2v7MRpBH+qvvukkb5I71FKc7HndVBRzcVghME7TLJn5hykoM="

  4. Update the configuration of the SAML strategy:

    uCredit-API/routes/sso.js

    Lines 33 to 47 in 7ab37a1

    // Setup SAML strategy
    const samlStrategy = new saml.Strategy(
    {
    // config options here
    entryPoint: JHU_SSO_URL,
    issuer: SP_NAME,
    callbackUrl: `${BASE_URL}/api/login/callback`,
    decryptionPvk: PvK,
    privateKey: PvK,
    // sameSite: "none",
    },
    (profile, done) => {
    return done(null, profile);
    },
    );

    Include the certificate

        // Setup SAML strategy
   const samlStrategy = new saml.Strategy(
     {
       // config options here
       entryPoint: JHU_SSO_URL,
       issuer: SP_NAME,
       callbackUrl: `${BASE_URL}/api/login/callback`,
       decryptionPvk: PvK,
       privateKey: PvK,
       // sameSite: "none",
+      cert: Cert, // To validate the signatures of the incoming SAML Responses.
     },
     (profile, done) => {
       return done(null, profile);
     },
   );

  5. Deploy the backend!

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions