SAML authentication?
1,630 views
Skip to first unread message
The Alchemist
Dec 29, 2017, 6:57:25 PM12/29/17
to Firebase Google Group
I was wondering if anyone had any sample code to use SAML to authenticate with Firebase.
I noticed a few tidbits at https://github.com/firebase/quickstart-js/blob/master/auth/README.md:
The Firebase custom auth quickstart demonstrates how to authenticate to Firebase with a user who has been authenticated from your own pre-existing authentication system. This is done by generating a token in a specific format, which is signed using the private key from a service account downloaded from the Google Developer Console. This token can then be passed to your client application which uses it to authenticate to Firebase. We provide an example token generator for demonstration purposes. Note: Generating tokens in production should be done server side.
It seems Firebase is OAuth/JWT-based, so if I wanted to support SAML, I would have to convert SAML assertions to JWT fields, and sign the JWT token and pass it back to the front-end, which will then pass it to Firebase Auth. Am I thinking of the flow correctly?
The example token generator is an HTML file, and it mentions that in the real world, this should be a backend component, not a front-end component. So what's the recommend "collection" of modules to use? (I'm using Node for my backend).
- https://www.npmjs.com/package/passport-saml, to verify/grab the SAML assertions
- https://www.npmjs.com/package/firebase-admin, in order to follow the instructions at https://firebase.google.com/docs/auth/admin/create-custom-tokens
- https://kjur.github.io/jsrsasign/, to create the JWT token, using code like at https://github.com/firebase/quickstart-js/blob/master/auth/exampletokengenerator/auth.html#L69
Does this look right? I'm more than willing to send a PR / put a sample project on Github.
Bassam
Jan 3, 2018, 3:52:10 PM1/3/18
to Firebase Google Group
Hey Alchemist,
To support SAML authentication with Firebase Auth, you need to use custom authentication.
When the SAML response is posted to your server, your convert the SAML assertion to a custom token (minted via Firebase Admin SDK) and then pass that token to the client where you signInWithCustomToken. You can add any additional SAML claims to the custom token claims and they will propagate to the Firebase ID token JWT.
Best regards,
Bassam
mark.t...@smpl.company
Jul 2, 2018, 8:35:11 PM7/2/18
to Firebase Google Group
Right now I'm working on a project to support SAML as well. We are currently using miniOrange as part of our auth workflow. But we want to cut that out when we can. Through my research we have similar planned workflows as you mentioned.
We plan to use passport-saml, and firebase-admin (through firebase cloud functions) to verify/grab the SAML assertions -> custom token that gets passed to the client (firebase cloud function get request). We don't have plans to get this going for another few months, but I will keep our progress on this group if it's appropriate. Likewise, if you guys make any progress, please keep us posted :)
We plan to use passport-saml, and firebase-admin (through firebase cloud functions) to verify/grab the SAML assertions -> custom token that gets passed to the client (firebase cloud function get request). We don't have plans to get this going for another few months, but I will keep our progress on this group if it's appropriate. Likewise, if you guys make any progress, please keep us posted :)
On Friday, December 29, 2017 at 3:57:25 PM UTC-8, The Alchemist wrote:
mark.t...@smpl.company
May 1, 2019, 10:19:51 AM5/1/19
to Firebase Google Group
Just to keep linked resources up to date. Here's a link to stackoverflow: https://stackoverflow.com/a/55322424
Looks like google/firebase is in beta for better support for saml. :)
Looks like google/firebase is in beta for better support for saml. :)
On Friday, December 29, 2017 at 3:57:25 PM UTC-8, The Alchemist wrote:
Reply all
Reply to author
Forward
0 new messages