@radzor/saml-auth

SAML 2.0 SSO authentication for Service Provider-initiated flows. Generates login URLs, validates SAML responses, and extracts user attributes. Uses node:crypto for XML signing.

Authenticationv0.1.0typescriptServersamlssoauthenticationidentityenterprisexmlby Radzor

Install

View source on GitHub →

$npx radzor@latest add saml-auth

⚠ Constraints: Server-only (uses node:crypto). Does not support IdP-initiated login. XML parsing is done with string manipulation and node:crypto — no external XML library needed. The IdP certificate must be provided in PEM format.

Inputs

Name	Type	Default	Description
entityId*	string	—	Service Provider entity ID (your application identifier).SAML_ENTITY_ID
acsUrl*	string	—	Assertion Consumer Service URL where the IdP sends SAML responses.SAML_ACS_URL
idpLoginUrl*	string	—	Identity Provider SSO login endpoint URL.SAML_IDP_LOGIN_URL
idpCert*	string	—	Identity Provider's X.509 certificate for signature validation (PEM format).SAML_IDP_CERT

{ "llm": { "constraints": "Server-only (uses node:crypto). Does not support IdP-initiated login. XML parsing is done with string manipulation and node:crypto — no external XML library needed. The IdP certificate must be provided in PEM format.", "usageExamples": "llm/examples.md", "integrationPrompt": "llm/integration.md" }, "name": "@radzor/saml-auth", "tags": [ "saml", "sso", "authentication", "identity", "enterprise", "xml" ], "events": [ { "name": "onLoginSuccess", "payload": { "issuer": "string", "nameId": "string", "sessionIndex": "string" }, "description": "Fired after a SAML response is successfully validated." }, { "name": "onLoginFailed", "payload": { "error": "string", "issuer": "string" }, "description": "Fired when SAML response validation fails." } ], "inputs": [ { "name": "entityId", "type": "string", "envVar": "SAML_ENTITY_ID", "required": true, "description": "Service Provider entity ID (your application identifier)." }, { "name": "acsUrl", "type": "string", "envVar": "SAML_ACS_URL", "required": true, "description": "Assertion Consumer Service URL where the IdP sends SAML responses." }, { "name": "idpLoginUrl", "type": "string", "envVar": "SAML_IDP_LOGIN_URL", "required": true, "description": "Identity Provider SSO login endpoint URL." }, { "name": "idpCert", "type": "string", "envVar": "SAML_IDP_CERT", "required": true, "description": "Identity Provider's X.509 certificate for signature validation (PEM format)." }, { "name": "privateKey", "type": "string", "envVar": "SAML_SP_PRIVATE_KEY", "required": false, "description": "SP private key for signing requests (PEM format). Optional if IdP does not require signed requests." } ], "radzor": "1.0.0", "actions": [ { "name": "generateLoginUrl", "params": [ { "name": "relayState", "type": "string", "required": false, "description": "URL to redirect to after successful login." } ], "returns": "string", "description": "Generate a SAML AuthnRequest URL for SP-initiated login." }, { "name": "validateResponse", "params": [ { "name": "samlResponse", "type": "string", "description": "Base64-encoded SAML response from the IdP." } ], "returns": "Promise<SamlUser>", "description": "Validate a SAML response and extract the authenticated user." }, { "name": "getMetadata", "params": [], "returns": "string", "description": "Generate SP metadata XML for IdP configuration." }, { "name": "logout", "params": [ { "name": "nameId", "type": "string", "description": "NameID of the user to log out." }, { "name": "sessionIndex", "type": "string", "description": "Session index from the login assertion." } ], "returns": "string", "description": "Generate a SAML LogoutRequest URL for single logout." } ], "outputs": [ { "name": "samlUser", "type": "SamlUser", "fields": [ { "name": "nameId", "type": "string", "description": "SAML NameID (unique user identifier from IdP)." }, { "name": "attributes", "type": "Record<string, string | string[]>", "description": "User attributes returned by the IdP." }, { "name": "sessionIndex", "type": "string | null", "description": "IdP session index for single logout." }, { "name": "issuer", "type": "string", "description": "IdP entity ID that issued the assertion." } ], "description": "Authenticated user extracted from a valid SAML response." } ], "runtime": "server", "version": "0.1.0", "category": "auth", "languages": [ "typescript" ], "description": "SAML 2.0 SSO authentication for Service Provider-initiated flows. Generates login URLs, validates SAML responses, and extracts user attributes. Uses node:crypto for XML signing.", "dependencies": { "radzor": [], "packages": {} }, "composability": { "connectsTo": [ { "output": "samlUser", "mapField": "nameId", "compatibleWith": [ "@radzor/session-manager.action.create.data", "@radzor/rbac.action.assignRole.userId" ] }, { "event": "onLoginSuccess", "description": "Create session after SAML login", "compatibleWith": [ "@radzor/session-manager.action.create.data", "@radzor/event-tracker.action.track.eventName" ] }, { "event": "onLoginFailed", "description": "Track SAML login failures", "compatibleWith": [ "@radzor/error-tracker.action.captureMessage.message", "@radzor/log-aggregator.action.warn.message" ] } ] } }

@radzor/saml-auth

Install

Inputs

Outputs

Actions

Events

Composability

radzor.manifest.json