DEV Community: Mudaser Ali The latest articles on DEV Community by Mudaser Ali (@smali_kazmi). https://dev.to/smali_kazmi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3423536%2Fd51948c3-c9dc-4bbf-aa08-97235f6868d2.jpg DEV Community: Mudaser Ali https://dev.to/smali_kazmi en SAML SSO Identity Provider in Node.js: The Complete Guide (Part 1) Mudaser Ali Sat, 09 Aug 2025 12:25:30 +0000 https://dev.to/smali_kazmi/saml-sso-identity-provider-in-nodejs-the-complete-guide-part-1-47k8 https://dev.to/smali_kazmi/saml-sso-identity-provider-in-nodejs-the-complete-guide-part-1-47k8 <h1> SAML SSO Identity Provider in Node.js: The Complete Guide (Part 1) </h1> <p><em>Building Enterprise Authentication in 5 Minutes</em></p> <p><strong>By Syed Mudaser Ali Kazmi (SMAK)</strong></p> <p>When enterprise clients ask for SAML SSO integration, most developers' hearts skip a beat. The complexity of XML parsing, certificate management, and SAML protocol intricacies can turn a simple authentication request into weeks of development hell.</p> <p>But what if I told you that you could build a production-ready SAML Identity Provider (IdP) in Node.js in just 5 minutes?</p> <h2> What is a SAML Identity Provider? </h2> <p>A SAML Identity Provider is the authentication server that:</p> <ul> <li>🔐 Authenticates users (validates credentials)</li> <li>🎫 Issues SAML assertions (digital tokens)</li> <li>🔒 Signs and encrypts authentication responses</li> <li>📋 Provides metadata for Service Providers to trust</li> </ul> <p>Think of it as the "bouncer" of the digital world - it verifies who you are and gives you a VIP pass (SAML assertion) to access other applications.</p> <h2> Why Build Your Own IdP? </h2> <h3> Enterprise Scenarios: </h3> <ul> <li> <strong>Custom Authentication Logic</strong>: Integrate with proprietary user stores</li> <li> <strong>Multi-Factor Authentication</strong>: Add custom MFA flows</li> <li> <strong>Compliance Requirements</strong>: Meet specific security standards</li> <li> <strong>Cost Optimization</strong>: Avoid expensive third-party IdP licensing</li> <li> <strong>Full Control</strong>: Complete customization of user experience</li> </ul> <h3> Modern Use Cases: </h3> <ul> <li> <strong>B2B SaaS</strong>: Provide SSO for enterprise customers</li> <li> <strong>Internal Tools</strong>: Centralize authentication for multiple apps</li> <li> <strong>Partner Integration</strong>: Enable federated access for partners</li> <li> <strong>Microservices</strong>: Create authentication service for service mesh</li> </ul> <h2> The Traditional SAML Pain Points </h2> <p>Before we solve them, let's acknowledge what makes SAML development challenging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Traditional SAML implementation nightmare</span> <span class="kd">const</span> <span class="nx">xml2js</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">xml2js</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">zlib</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">zlib</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// 200+ lines of XML template generation</span> <span class="kd">const</span> <span class="nx">generateSAMLResponse</span> <span class="o">=</span> <span class="p">(</span><span class="nx">user</span><span class="p">,</span> <span class="nx">requestId</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Complex XML parsing and generation</span> <span class="c1">// Certificate loading and validation</span> <span class="c1">// Signature generation</span> <span class="c1">// Encryption handling</span> <span class="c1">// Base64 encoding/decoding</span> <span class="c1">// Deflate compression</span> <span class="c1">// ... weeks of debugging</span> <span class="p">};</span> </code></pre> </div> <p><strong>Problems with this approach:</strong></p> <ul> <li>❌ Hundreds of lines of boilerplate code</li> <li>❌ Easy to introduce security vulnerabilities</li> <li>❌ Difficult to test and debug</li> <li>❌ Poor maintainability</li> <li>❌ XML template hell</li> </ul> <h2> Enter saml-sso-helper: The Game Changer </h2> <p>I built <code>saml-sso-helper</code> to eliminate all this complexity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Modern SAML implementation</span> <span class="kd">const</span> <span class="nx">SAMLHelper</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">saml-sso-helper</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">samlHelper</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SAMLHelper</span><span class="p">({</span> <span class="na">encryption</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">entityID</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://your-company.com/idp</span><span class="dl">'</span><span class="p">,</span> <span class="na">baseURL</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://your-company.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">certificates</span><span class="p">:</span> <span class="p">{</span> <span class="cm">/* your certs */</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">samlHelper</span><span class="p">.</span><span class="nf">createIdentityProvider</span><span class="p">();</span> <span class="c1">// Done! 🎉</span> </code></pre> </div> <h2> 5-Minute IdP Implementation </h2> <p>Let's build a complete SAML Identity Provider from scratch:</p> <h3> Step 1: Project Setup (30 seconds) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>my-saml-idp <span class="o">&amp;&amp;</span> <span class="nb">cd </span>my-saml-idp npm init <span class="nt">-y</span> npm <span class="nb">install </span>saml-sso-helper express express-session bcryptjs </code></pre> </div> <h3> Step 2: Generate Certificates (1 minute) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>certificates <span class="o">&amp;&amp;</span> <span class="nb">cd </span>certificates <span class="c"># Generate signing certificate</span> openssl req <span class="nt">-x509</span> <span class="nt">-newkey</span> rsa:2048 <span class="nt">-keyout</span> idp-signing.key <span class="se">\</span> <span class="nt">-out</span> idp-signing.cert <span class="nt">-days</span> 365 <span class="nt">-nodes</span> <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/CN=your-company.com/O=Your Company/C=US"</span> <span class="c"># Generate encryption certificate </span> openssl req <span class="nt">-x509</span> <span class="nt">-newkey</span> rsa:2048 <span class="nt">-keyout</span> idp-encrypt.key <span class="se">\</span> <span class="nt">-out</span> idp-encrypt.cert <span class="nt">-days</span> 365 <span class="nt">-nodes</span> <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"/CN=your-company.com/O=Your Company/C=US"</span> <span class="nb">cd</span> .. </code></pre> </div> <h3> Step 3: Create the Identity Provider (3.5 minutes) </h3> <p>Create <code>idp.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-session</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">bcrypt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">bcryptjs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">SAMLHelper</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">saml-sso-helper</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// Middleware setup</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">urlencoded</span><span class="p">({</span> <span class="na">extended</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">());</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">session</span><span class="p">({</span> <span class="na">secret</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your-session-secret-change-in-production</span><span class="dl">'</span><span class="p">,</span> <span class="na">resave</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">saveUninitialized</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">cookie</span><span class="p">:</span> <span class="p">{</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1">// Set to true in production with HTTPS</span> <span class="p">}));</span> <span class="c1">// Mock user database (replace with your actual user store)</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">john.doe@company.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hashSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">password123</span><span class="dl">'</span><span class="p">,</span> <span class="mi">10</span><span class="p">),</span> <span class="na">profile</span><span class="p">:</span> <span class="p">{</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">John Doe</span><span class="dl">'</span><span class="p">,</span> <span class="na">firstName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">John</span><span class="dl">'</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Doe</span><span class="dl">'</span><span class="p">,</span> <span class="na">department</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Engineering</span><span class="dl">'</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Senior Developer</span><span class="dl">'</span><span class="p">,</span> <span class="na">employeeId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">EMP001</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">jane.smith@company.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hashSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">secure456</span><span class="dl">'</span><span class="p">,</span> <span class="mi">10</span><span class="p">),</span> <span class="na">profile</span><span class="p">:</span> <span class="p">{</span> <span class="na">displayName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Jane Smith</span><span class="dl">'</span><span class="p">,</span> <span class="na">firstName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Jane</span><span class="dl">'</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Smith</span><span class="dl">'</span><span class="p">,</span> <span class="na">department</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Product</span><span class="dl">'</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Product Manager</span><span class="dl">'</span><span class="p">,</span> <span class="na">employeeId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">EMP002</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">];</span> <span class="c1">// Initialize SAML Helper</span> <span class="kd">const</span> <span class="nx">samlHelper</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SAMLHelper</span><span class="p">({</span> <span class="na">encryption</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">entityID</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://your-company.com/idp/metadata</span><span class="dl">'</span><span class="p">,</span> <span class="na">baseURL</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://your-company.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">partnerMetadataURL</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://partner-app.com/sp/metadata</span><span class="dl">'</span><span class="p">,</span> <span class="na">certificates</span><span class="p">:</span> <span class="p">{</span> <span class="na">signing</span><span class="p">:</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">certificates/idp-signing.key</span><span class="dl">'</span><span class="p">),</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">certificates/idp-signing.cert</span><span class="dl">'</span><span class="p">)</span> <span class="p">},</span> <span class="na">encryption</span><span class="p">:</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">certificates/idp-encrypt.key</span><span class="dl">'</span><span class="p">),</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">certificates/idp-encrypt.cert</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">},</span> <span class="na">attributes</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">displayName</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">firstName</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">lastName</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">department</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">role</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">employeeId</span><span class="dl">'</span> <span class="p">]</span> <span class="p">});</span> <span class="c1">// Create IdP instance</span> <span class="nx">samlHelper</span><span class="p">.</span><span class="nf">createIdentityProvider</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">middleware</span> <span class="o">=</span> <span class="nx">samlHelper</span><span class="p">.</span><span class="nf">getExpressMiddleware</span><span class="p">();</span> <span class="c1">// Helper functions</span> <span class="kd">const</span> <span class="nx">findUserByEmail</span> <span class="o">=</span> <span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">users</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">u</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">email</span> <span class="o">===</span> <span class="nx">email</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authenticateUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nf">findUserByEmail</span><span class="p">(</span><span class="nx">email</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="k">return</span> <span class="nx">isValid</span> <span class="p">?</span> <span class="nx">user</span> <span class="p">:</span> <span class="kc">null</span><span class="p">;</span> <span class="p">};</span> <span class="c1">// Routes</span> <span class="c1">// IdP Metadata endpoint</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/metadata</span><span class="dl">'</span><span class="p">,</span> <span class="nx">middleware</span><span class="p">.</span><span class="nx">idp</span><span class="p">.</span><span class="nx">metadata</span><span class="p">);</span> <span class="c1">// Login page</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">SAMLRequest</span><span class="p">,</span> <span class="nx">RelayState</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">` &lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;Company Login - SAML IdP&lt;/title&gt; &lt;style&gt; body { font-family: Arial, sans-serif; max-width: 400px; margin: 100px auto; padding: 20px; } .login-form { background: #f5f5f5; padding: 30px; border-radius: 8px; } input { width: 100%; padding: 10px; margin: 10px 0; border: 1px solid #ddd; border-radius: 4px; } button { background: #007bff; color: white; padding: 12px 20px; border: none; border-radius: 4px; cursor: pointer; width: 100%; } button:hover { background: #0056b3; } .error { color: red; margin: 10px 0; } &lt;/style&gt; &lt;/head&gt; &lt;body&gt; &lt;div class="login-form"&gt; &lt;h2&gt;🔐 Company Portal Login&lt;/h2&gt; &lt;form method="POST" action="/login"&gt; &lt;input type="hidden" name="SAMLRequest" value="</span><span class="p">${</span><span class="nx">SAMLRequest</span> <span class="o">||</span> <span class="dl">''</span><span class="p">}</span><span class="s2">" /&gt; &lt;input type="hidden" name="RelayState" value="</span><span class="p">${</span><span class="nx">RelayState</span> <span class="o">||</span> <span class="dl">''</span><span class="p">}</span><span class="s2">" /&gt; &lt;input type="email" name="email" placeholder="Email Address" required /&gt; &lt;input type="password" name="password" placeholder="Password" required /&gt; &lt;button type="submit"&gt;Sign In&lt;/button&gt; &lt;/form&gt; &lt;div style="margin-top: 20px; font-size: 12px; color: #666;"&gt; &lt;strong&gt;Demo Accounts:&lt;/strong&gt;&lt;br&gt; john.doe@company.com / password123&lt;br&gt; jane.smith@company.com / secure456 &lt;/div&gt; &lt;/div&gt; &lt;/body&gt; &lt;/html&gt; `</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Login processing</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">SAMLRequest</span><span class="p">,</span> <span class="nx">RelayState</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Authenticate user</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">authenticateUser</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="s2">` &lt;h2&gt;Login Failed&lt;/h2&gt; &lt;p&gt;Invalid email or password.&lt;/p&gt; &lt;a href="/login?SAMLRequest=</span><span class="p">${</span><span class="nx">SAMLRequest</span><span class="p">}</span><span class="s2">&amp;RelayState=</span><span class="p">${</span><span class="nx">RelayState</span><span class="p">}</span><span class="s2">"&gt;Try Again&lt;/a&gt; `</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Store user session</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">user</span><span class="p">;</span> <span class="c1">// If this is a SAML request, continue to SSO</span> <span class="k">if </span><span class="p">(</span><span class="nx">SAMLRequest</span><span class="p">)</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">SAMLRequest</span> <span class="o">=</span> <span class="nx">SAMLRequest</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">RelayState</span> <span class="o">=</span> <span class="nx">RelayState</span><span class="p">;</span> <span class="k">return</span> <span class="nx">app</span><span class="p">.</span><span class="nx">_router</span><span class="p">.</span><span class="nf">handle</span><span class="p">({...</span><span class="nx">req</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="na">url</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/sso</span><span class="dl">'</span><span class="p">},</span> <span class="nx">res</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Regular login success</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">` &lt;h2&gt;✅ Login Successful&lt;/h2&gt; &lt;p&gt;Welcome, </span><span class="p">${</span><span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">displayName</span><span class="p">}</span><span class="s2">!&lt;/p&gt; &lt;a href="/profile"&gt;View Profile&lt;/a&gt; `</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Login error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Login failed</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// SSO endpoint</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/sso</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Check if user is authenticated</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">SAMLRequest</span><span class="p">,</span> <span class="nx">RelayState</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">;</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="s2">`/login?SAMLRequest=</span><span class="p">${</span><span class="nx">SAMLRequest</span><span class="p">}</span><span class="s2">&amp;RelayState=</span><span class="p">${</span><span class="nx">RelayState</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Prepare user data for SAML assertion</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">userData</span> <span class="o">=</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">displayName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">displayName</span><span class="p">,</span> <span class="na">firstName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">firstName</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">lastName</span><span class="p">,</span> <span class="na">department</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">department</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">role</span><span class="p">,</span> <span class="na">employeeId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">employeeId</span> <span class="p">};</span> <span class="c1">// Process SAML SSO</span> <span class="nx">middleware</span><span class="p">.</span><span class="nx">idp</span><span class="p">.</span><span class="nf">sso</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// User profile page</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">` &lt;h2&gt;👤 User Profile&lt;/h2&gt; &lt;p&gt;&lt;strong&gt;Name:&lt;/strong&gt; </span><span class="p">${</span><span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">displayName</span><span class="p">}</span><span class="s2">&lt;/p&gt; &lt;p&gt;&lt;strong&gt;Email:&lt;/strong&gt; </span><span class="p">${</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">}</span><span class="s2">&lt;/p&gt; &lt;p&gt;&lt;strong&gt;Department:&lt;/strong&gt; </span><span class="p">${</span><span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">department</span><span class="p">}</span><span class="s2">&lt;/p&gt; &lt;p&gt;&lt;strong&gt;Role:&lt;/strong&gt; </span><span class="p">${</span><span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">role</span><span class="p">}</span><span class="s2">&lt;/p&gt; &lt;p&gt;&lt;strong&gt;Employee ID:&lt;/strong&gt; </span><span class="p">${</span><span class="nx">user</span><span class="p">.</span><span class="nx">profile</span><span class="p">.</span><span class="nx">employeeId</span><span class="p">}</span><span class="s2">&lt;/p&gt; &lt;a href="/logout"&gt;Logout&lt;/a&gt; `</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Logout</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/logout</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nf">destroy</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">&lt;h2&gt;Logged out successfully&lt;/h2&gt;&lt;a href="/login"&gt;Login Again&lt;/a&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Health check</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">healthy</span><span class="dl">'</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SAML Identity Provider</span><span class="dl">'</span><span class="p">,</span> <span class="na">encryption</span><span class="p">:</span> <span class="nx">samlHelper</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">encryption</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Error handling</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">error</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">IdP Error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Identity Provider error</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Start server</span> <span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span> <span class="o">||</span> <span class="mi">3000</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`🔐 SAML Identity Provider running on http://localhost:</span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`📋 Metadata: http://localhost:</span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">/metadata`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`🚀 Login: http://localhost:</span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">/login`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`👤 Profile: http://localhost:</span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">/profile`</span><span class="p">);</span> <span class="p">});</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <h2> Advanced IdP Features </h2> <h3> Database Integration </h3> <p>Replace the mock users with real database integration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// With MongoDB/Mongoose</span> <span class="kd">const</span> <span class="nx">User</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./models/User</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authenticateUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="nx">email</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="k">return</span> <span class="nx">isValid</span> <span class="p">?</span> <span class="nx">user</span> <span class="p">:</span> <span class="kc">null</span><span class="p">;</span> <span class="p">};</span> <span class="c1">// With PostgreSQL/Sequelize</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./models</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authenticateUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">}</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="k">return</span> <span class="nx">isValid</span> <span class="p">?</span> <span class="nx">user</span> <span class="p">:</span> <span class="kc">null</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <h3> Multi-Factor Authentication </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">speakeasy</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">speakeasy</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/verify-mfa</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">user</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">verified</span> <span class="o">=</span> <span class="nx">speakeasy</span><span class="p">.</span><span class="nx">totp</span><span class="p">.</span><span class="nf">verify</span><span class="p">({</span> <span class="na">secret</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">mfaSecret</span><span class="p">,</span> <span class="na">encoding</span><span class="p">:</span> <span class="dl">'</span><span class="s1">base32</span><span class="dl">'</span><span class="p">,</span> <span class="na">token</span><span class="p">:</span> <span class="nx">token</span><span class="p">,</span> <span class="na">window</span><span class="p">:</span> <span class="mi">2</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">verified</span><span class="p">)</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">mfaVerified</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="dl">'</span><span class="s1">/sso</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid MFA token</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h3> LDAP/Active Directory Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">ldap</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">ldapjs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authenticateWithLDAP</span> <span class="o">=</span> <span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">password</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">reject</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nx">ldap</span><span class="p">.</span><span class="nf">createClient</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ldap://your-domain-controller.com</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">dn</span> <span class="o">=</span> <span class="s2">`cn=</span><span class="p">${</span><span class="nx">username</span><span class="p">}</span><span class="s2">,ou=users,dc=company,dc=com`</span><span class="p">;</span> <span class="nx">client</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="nx">dn</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nf">reject</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Fetch user attributes</span> <span class="nx">client</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="nx">dn</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Process LDAP response</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">userInfo</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <h3> Custom Attribute Mapping </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">mapUserAttributes</span> <span class="o">=</span> <span class="p">(</span><span class="nx">user</span><span class="p">,</span> <span class="nx">targetApp</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">attributeMappings</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">salesforce</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="dl">'</span><span class="s1">https://schemas.salesforce.com/FirstName</span><span class="dl">'</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">firstName</span><span class="p">,</span> <span class="dl">'</span><span class="s1">https://schemas.salesforce.com/LastName</span><span class="dl">'</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">lastName</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">office365</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</span><span class="dl">'</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="dl">'</span><span class="s1">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</span><span class="dl">'</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">firstName</span><span class="p">,</span> <span class="dl">'</span><span class="s1">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</span><span class="dl">'</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">lastName</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">default</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">displayName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">displayName</span><span class="p">,</span> <span class="na">firstName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">firstName</span><span class="p">,</span> <span class="na">lastName</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">lastName</span> <span class="p">}</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">attributeMappings</span><span class="p">[</span><span class="nx">targetApp</span><span class="p">]</span> <span class="o">||</span> <span class="nx">attributeMappings</span><span class="p">.</span><span class="k">default</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <h2> Production Deployment </h2> <h3> Environment Configuration </h3> <p>Create <code>.env</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">NODE_ENV</span><span class="o">=</span>production <span class="nv">PORT</span><span class="o">=</span>3000 <span class="nv">SESSION_SECRET</span><span class="o">=</span>your-super-secret-key-change-this <span class="nv">DATABASE_URL</span><span class="o">=</span>postgresql://user:pass@host:5432/dbname <span class="nv">LDAP_URL</span><span class="o">=</span>ldap://domain-controller.company.com <span class="nv">ENTITY_ID</span><span class="o">=</span>https://idp.company.com/metadata <span class="nv">BASE_URL</span><span class="o">=</span>https://idp.company.com <span class="nv">SIGNING_CERT_PATH</span><span class="o">=</span>/app/certs/signing.cert <span class="nv">SIGNING_KEY_PATH</span><span class="o">=</span>/app/certs/signing.key <span class="nv">ENCRYPT_CERT_PATH</span><span class="o">=</span>/app/certs/encrypt.cert <span class="nv">ENCRYPT_KEY_PATH</span><span class="o">=</span>/app/certs/encrypt.key </code></pre> </div> <h3> Docker Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:18-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="k">COPY</span><span class="s"> . .</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node", "idp.js"]</span> </code></pre> </div> <h3> Kubernetes Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">saml-idp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">saml-idp</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">saml-idp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">saml-idp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">your-registry/saml-idp:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">NODE_ENV</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">production"</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">certificates</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/app/certificates</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">certificates</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">saml-certificates</span> </code></pre> </div> <h2> Security Best Practices </h2> <h3> Certificate Management </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Rotate certificates regularly</span> <span class="kd">const</span> <span class="nx">loadCertificates</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">certPath</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">/secure/certificates</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">./certificates</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">signing</span><span class="p">:</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">certPath</span><span class="p">}</span><span class="s2">/signing.key`</span><span class="p">),</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">certPath</span><span class="p">}</span><span class="s2">/signing.cert`</span><span class="p">)</span> <span class="p">},</span> <span class="na">encryption</span><span class="p">:</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">certPath</span><span class="p">}</span><span class="s2">/encrypt.key`</span><span class="p">),</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">certPath</span><span class="p">}</span><span class="s2">/encrypt.cert`</span><span class="p">)</span> <span class="p">}</span> <span class="p">};</span> <span class="p">};</span> <span class="c1">// Validate certificate expiration</span> <span class="kd">const</span> <span class="nx">validateCertificates</span> <span class="o">=</span> <span class="p">(</span><span class="nx">certificates</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cert</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">crypto</span><span class="p">.</span><span class="nc">X509Certificate</span><span class="p">(</span><span class="nx">certificates</span><span class="p">.</span><span class="nx">signing</span><span class="p">.</span><span class="nx">cert</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">expiryDate</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="nx">cert</span><span class="p">.</span><span class="nx">validTo</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">daysUntilExpiry</span> <span class="o">=</span> <span class="p">(</span><span class="nx">expiryDate</span> <span class="o">-</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">())</span> <span class="o">/</span> <span class="p">(</span><span class="mi">1000</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">24</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">daysUntilExpiry</span> <span class="o">&lt;</span> <span class="mi">30</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`Certificate expires in </span><span class="p">${</span><span class="nx">daysUntilExpiry</span><span class="p">}</span><span class="s2"> days!`</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> Rate Limiting </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">rateLimit</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">loginLimiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 15 minutes</span> <span class="na">max</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="c1">// 5 attempts per window</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many login attempts, please try again later</span><span class="dl">'</span><span class="p">,</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">legacyHeaders</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="nx">loginLimiter</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Login logic</span> <span class="p">});</span> </code></pre> </div> <h3> Audit Logging </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">winston</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">winston</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nx">winston</span><span class="p">.</span><span class="nf">createLogger</span><span class="p">({</span> <span class="na">level</span><span class="p">:</span> <span class="dl">'</span><span class="s1">info</span><span class="dl">'</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="nx">winston</span><span class="p">.</span><span class="nx">format</span><span class="p">.</span><span class="nf">json</span><span class="p">(),</span> <span class="na">transports</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nx">winston</span><span class="p">.</span><span class="nx">transports</span><span class="p">.</span><span class="nc">File</span><span class="p">({</span> <span class="na">filename</span><span class="p">:</span> <span class="dl">'</span><span class="s1">audit.log</span><span class="dl">'</span> <span class="p">})</span> <span class="p">]</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">auditLog</span> <span class="o">=</span> <span class="p">(</span><span class="nx">event</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">details</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="nx">event</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">?.</span><span class="nx">email</span><span class="p">,</span> <span class="na">ip</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">User-Agent</span><span class="dl">'</span><span class="p">),</span> <span class="nx">details</span> <span class="p">});</span> <span class="p">};</span> <span class="c1">// Usage</span> <span class="nf">auditLog</span><span class="p">(</span><span class="dl">'</span><span class="s1">LOGIN_SUCCESS</span><span class="dl">'</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password</span><span class="dl">'</span> <span class="p">});</span> <span class="nf">auditLog</span><span class="p">(</span><span class="dl">'</span><span class="s1">SSO_REQUEST</span><span class="dl">'</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="p">{</span> <span class="na">sp</span><span class="p">:</span> <span class="nx">targetApp</span> <span class="p">});</span> </code></pre> </div> <h2> Testing Your IdP </h2> <h3> Unit Tests </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">request</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">supertest</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">./idp</span><span class="dl">'</span><span class="p">);</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">SAML IdP</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">should serve metadata</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">request</span><span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/metadata</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">text</span><span class="p">).</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">EntityDescriptor</span><span class="dl">'</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">text</span><span class="p">).</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">IDPSSODescriptor</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">should authenticate valid user</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">request</span><span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">john.doe@company.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password123</span><span class="dl">'</span> <span class="p">})</span> <span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">text</span><span class="p">).</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">Login Successful</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">should reject invalid credentials</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">request</span><span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">john.doe@company.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">wrongpassword</span><span class="dl">'</span> <span class="p">})</span> <span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="mi">401</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h3> Integration Testing </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Test with a real Service Provider</span> <span class="kd">const</span> <span class="nx">testSAMLFlow</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// 1. Initiate SSO from SP</span> <span class="kd">const</span> <span class="nx">spResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">request</span><span class="p">(</span><span class="nx">spApp</span><span class="p">)</span> <span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="mi">302</span><span class="p">);</span> <span class="c1">// 2. Extract SAML request</span> <span class="kd">const</span> <span class="nx">redirectUrl</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">spResponse</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">location</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">samlRequest</span> <span class="o">=</span> <span class="nx">redirectUrl</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">SAMLRequest</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// 3. Submit to IdP</span> <span class="kd">const</span> <span class="nx">idpResponse</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">request</span><span class="p">(</span><span class="nx">idpApp</span><span class="p">)</span> <span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/sso</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">query</span><span class="p">({</span> <span class="na">SAMLRequest</span><span class="p">:</span> <span class="nx">samlRequest</span> <span class="p">})</span> <span class="p">.</span><span class="nf">expect</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="c1">// 4. Verify SAML response</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">idpResponse</span><span class="p">.</span><span class="nx">text</span><span class="p">).</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">SAMLResponse</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h2> What's Next? </h2> <p>Congratulations! You now have a fully functional SAML Identity Provider. In <strong>Part 2</strong> of this series, we'll cover:</p> <ul> <li>🏢 <strong>Service Provider Implementation</strong>: How to consume SAML assertions</li> <li>🔄 <strong>Complete SSO Flow</strong>: End-to-end integration testing</li> <li>🚀 <strong>Advanced SP Features</strong>: Session management, logout, and more</li> <li>🔧 <strong>Production Deployment</strong>: Scaling and monitoring strategies</li> </ul> <h2> Resources </h2> <ul> <li>📦 <strong>npm Package</strong>: <code>npm install saml-sso-helper</code> </li> <li>🐙 <strong>GitHub</strong>: <a href="https://github.com/smali-kazmi/saml-sso-helper" rel="noopener noreferrer">saml-sso-helper</a> </li> <li>📖 <strong>Documentation</strong>: Complete API reference</li> <li>💬 <strong>Part 2</strong>: SAML Service Provider Guide </li> </ul> <p><em>Ready to implement the Service Provider side? Check out Part 2 of this series where we build the receiving end of our SAML SSO flow!</em></p> <p><strong>About the Author</strong>: Syed Mudaser Ali Kazmi (SMAK) is a seasoned technology leader specializing in solving complex enterprise challenges with elegant, efficient solutions. As Co-founder and Tech Lead at Hucu.ai, he helps organizations achieve maximum operational efficiency using minimal team resources and optimized budgets. </p> <p>Frustrated by the complexity of enterprise authentication systems, SMAK created the <code>saml-sso-helper</code> package to transform weeks of complex SAML integration work into simple, maintainable systems. His passion lies in democratizing enterprise-grade technology, making sophisticated solutions accessible to teams of all sizes through innovative tooling and clear documentation.</p> javascript sso saml2 node