Token based + sessionless saml2 auth implementation using Passport, NodeJs

Problem at hand

What I wanted to make was a Node API with which I could authenticate through SAML 2.0 Identity Provider initially and using a token in subsequent requests. I found a bunch of clear information about each individual part but not how to integrate everything, hence this post.
A working example containing all the code can be downloaded from below link :
Zipped Example Code

saml 2.0 auth

Passport made this incredible easy with their saml strategy. As I mentioned above I am using as an IDP. There are many options available to test your solutions. You can refer my another article “How to setup app on and get issuer & entrypoint”.



This file contains implementation of both strategies. SAML strategies is really straight forward, nothing special we did. Simply standard implementation.
Other strategy, Bearer using redis to verify the token. I have created a simple library to use redis methods.


So that’s all the magic things. Now move to actual routes.


As you have noticed already, I am using two different strategies here. First to authenticate the user, SAML comes in between on following 2 routes.
1. /login
2. /login/callback
Once user gets authenticated, I am creating a token, saving it as a key in redis cache to verify it on subsequent requests. Rest other routes are using Bearer strategy. In bearer strategy we have already seen above, I am verifying the token coming in header.

How to test

Now the question comes, how to test this whole scenario.
It is fairly simple, Requestly(Chrome Extenstion) will help us here, to inject header in subsequent requests.


This is a chrome extension. Install it & enable the extension. You will see icon at top-right corner of your browser. Open it & create a rule as showing below.

To get the token, check console after login.
That’s all. Now you are ready to test the solution.
1. Open http://locahot:3000/. You will see “Unauthorized” as expected.

2. Now try http://localhost:3000/login. You are successfully logged-in, but still “Unauthorized”. Don’t worry, it is just because of wrong token in Requestly. Get the latest token from console & configure it.

3. Now refresh the page. You are logged-in, able to access secure routes using token.

That’s it.
Share your comments.

Recommended Post

Check out my another post on :
how to setup saml strategy dynamically to serve multiple client through same route

Reference: Narendra Singh (

passport-saml2 callback with request/query parameters, Nodejs

Problem at hand

Recently I got requirement to create a generic route that will use separate Identity Provider for each client.
You can check out my another article, if you want to learn saml2 auth implementation end-to-end.
Token based + sessionless saml2 auth implementation using Passport, NodeJs


Here I am going to share the solution that I figured out.
To read the configuration for each client, we decided to take client name as a request parameter. So If you have read my another article, you will notice this time I am implementing strategy dynamically using client configuration coming in request parameter.

Before moving forward, let’s have a look of configuration file :


Nothing special, It is as simple as it shows, configurations for each client. As they could have different Identity Provider, we have separated configurations for each one.

After going through the configurations, It is a time to check the strategy JS file now :


I have wrapped the strategy implementation in a function, it is taking client name as a parameter. I know you got the point already, I am reading configuration using client name & setting up the implementation.
Here I am sure you have a question in mind, when this function will be called ?
Actual magic comes up here now, See below routes.js file.


I am calling the function in the route(/saml2/:client’) just before asking passport to authenticate the request. Now “passport saml strategy” has been set up for the client coming in & It will authenticate the request using its specific Identity Provider.
Going forward, I have pass the client name in callback URL as well. So that if we need to read some configuration again for the client,we will get client name again in the route when Identity Provider calls back the route.

Feel free to share your comments if you have any better approach for the same task. I would love to read your idea.

Reference: Narendra Singh (

Download PDF file with NodeJs

Here is the sample Code :

  • Download PDF from Local Directory

  • Download PDF File from FTP Location

Reference: Narendra Singh (

How to compare NULL or Empty Clob, Oracle

Here is the Sample Code to compare Null OR Empty Clob value :


Reference: Narendra Singh (