Merge pull request #1050 from supertokens/feat/saml

Feat/saml

Author: bcbogdan

…cation/enterprise/saml/boxy-hq-guide.mdx …uthentication/enterprise/legacy-saml.mdxdocs/authentication/enterprise/saml/boxy-hq-guide.mdx renamed to docs/authentication/enterprise/legacy-saml.mdx docs/authentication/enterprise/saml/boxy-hq-guide.mdx renamed to docs/authentication/enterprise/legacy-saml.mdx

@@ -1,18 +1,55 @@
 ---
-title: Integration Guide
+title: Legacy SAML
 hide_title: true
-sidebar_position: 3
-toc_max_heading_level: 4
-description: Integrate SAML authentication with SuperTokens using SAML Jackson.
+sidebar_position: 11
+description: >-
+  Learn how SAML facilitates secure information exchange between authentication
+  servers and client applications.
 page_type: guide
 recipe: thirdparty
 category: enterprise-login
 ---
 
+# Legacy SAML
 
 
-# Integration guide 
+## Overview
 
+The following guide shows you how to configure SAML using the legacy setup with SuperTokens.
+
+:::warning no-title
+Since version `11.3` of the core service you can use SuperTokens as a SAML client.
+We recommend that you use the latest version with [the simplified setup](/docs/authentication/enterprise/saml).
+:::
+
+### BoxyHQ
+
+[BoxyHQ](https://boxyhq.com/) is a commercial open-source company that has a product called "SAML Jackson" which helps integrate `SAML` providers into your application.
+
+`SAML` Jackson is a perfect fit with SuperTokens because:
+- It's an OAuth provider and a `SAML` client.
+This fits with the architecture.
+- For self hosted, it supports PostgreSQL and MySQL amongst [other databases](https://boxyhq.com/docs/jackson/deploy/service#database).
+Self hosted SuperTokens only supports PostgreSQL as a data source.
+
+`SAML` Jackson provides an HTTP service that you can host yourself or let BoxyHQ manage.
+The HTTP service uses NodeJS, and is embeddable within your NodeJS backend.
+However, because SuperTokens supports multiple backends, the focus is on deploying `SAML` Jackson as a microservice.
+
+<img alt="Flowchart of integrating a `SAML` provider with SuperTokens using `SAML` Jackson ( BoxyHQ )" src="/img/saml/supertokens-boxyhq.png" />
+
+1. The user clicks on the login button and redirects to `SAML` Jackson's microservice at `http://localhost:5225/api/oauth/authorize`
+2. `SAML` Jackson redirects the user to the `SAML` provider's login page where the user needs to enter their credentials
+3. After successfully authenticating the user, the `SAML` provider redirects the user to `SAML` Jackson. Step (2) and (3) follow the `SAML` protocol.
+4. `SAML` Jackson redirects the user to the frontend app on the configured callback URL. The callback URL contains the one-time use auth code.
+5. SuperTokens' frontend `SDK` passes the one-time use auth code to your app's backend.
+6. SuperTokens' backend `SDK` verifies the auth code by querying `SAML` Jackson. On success, `SAML` Jackson returns the end user's information and access token.
+7. SuperTokens' backend `SDK` creates a new user in the core associated with the end user's email. New session tokens are also created
+8. A SuperTokens' session establishes between your app's backend and frontend - logging in the user.
+
+:::info Example App
+An [example app on GitHub](https://github.com/supertokens/jackson-supertokens-express) with SuperTokens + `SAML` Jackson, for React and NodeJS express apps, is available. This uses [mocksaml.com](https://mocksaml.com/) as a `SAML` provider
+:::
 
 ## Before you start
 

docs/authentication/enterprise/saml.mdx

@@ -0,0 +1,190 @@
+---
+title: SAML
+hide_title: true
+sidebar_position: 10
+toc_max_heading_level: 4
+description: Add SAML authentication to your application
+page_type: tutorial
+recipe: thirdparty
+category: enterprise-login
+---
+
+# SAML Setup 
+
+## Overview
+
+The following guide shows you how to configure SAML with your SuperTokens integration.
+`SAML`, or Security Assertion Markup Language, is an open protocol that exchanges information between the authentication server and the client application.
+
+### How it works?
+
+Your `SAML` identity provider has a metadata file (`.xml`) that you or your end users need to upload to the `SAML` client.
+
+The `.xml` metadata file contains (amongst other things):
+- A unique entity ID that you must keep private. The `SAML` provider uses this to identify your application.
+- A public certificate that verifies the signature attached to the incoming `SAML` response.
+This ensures the response is coming from the expected Identity Provider.
+- Information about where to redirect the end user to when they click on the login button in your application. 
+This URL is to a website controlled by the `SAML` provider and asks the end user for their credentials.
+
+
+## Before you start
+
+<PaidFeatureCallout />
+
+These instructions assume that you already have gone through the main [quickstart guide](/docs/quickstart/introduction).
+If you have skipped that page please follow the tutorial and return here once you're done.
+
+
+:::warning no-title
+You need to use a SuperTokens core that is at least on version `11.3`.
+The feature is only available with the `Node.js` SDK.
+Support for `Python` and `Golang` is in active development.
+:::
+
+
+## Steps
+
+### 1. Get the SAML metadata from your Identity Provider
+
+Before configuring SuperTokens, you need to obtain the SAML metadata XML from your Identity Provider (IDP).
+This is typically available in your IDP's admin console as a downloadable XML file or a metadata URL.
+
+Common locations for metadata:
+- **Azure AD**: Enterprise Applications > Your App > Single sign-on > Federation Metadata XML
+- **Okta**: Applications > Your App > Sign On > SAML Metadata
+- **Google Workspace**: Apps > Web and mobile apps > Your App > Download metadata
+
+### 2. Initialize the SAML recipe in the backend SDK
+
+```typescript
+import { SuperTokens } from "supertokens-node";
+import Saml from "supertokens-node/recipe/saml";
+
+SuperTokens.init({
+    supertokens: {
+        connectionURI: "<SUPERTOKENS_CONNECTION_URI>",
+        apiKey: "<SUPERTOKENS_API_KEY>",
+    },
+    appInfo: {
+        appName: "App name",
+        apiDomain: "<API_DOMAIN>",
+        websiteDomain: "<WEBSITE_DOMAIN>",
+    },
+    recipeList: [
+        // other recipes
+        Saml.init(),
+    ]
+});
+
+```
+
+### 3. Create a new SAML client
+
+Use the metadata XML obtained in step 1 to create a SAML client.
+The `redirectURIs` should point to your application's callback URL where users will be redirected after authentication.
+
+:::info no-title
+This step assumes that you previously have created a SuperTokens tenant.
+If you have not, please follow the [initial setup guide](/docs/authentication/enterprise/initial-setup).
+:::
+
+```typescript
+import Saml from "supertokens-node/recipe/saml";
+
+async function createSamlClient() {
+  const result = await Saml.createOrUpdateClient({
+    tenantId: "<TENANT_ID>",
+    clientId: "<CLIENT_ID>",
+    clientSecret: "<CLIENT_SECRET>",
+    redirectURIs: ["https://your-app.com/auth/callback"],
+    defaultRedirectURI: "https://your-app.com/auth/callback",
+    metadataXML: "<METADATA_XML_FROM_IDP>",
+    allowIDPInitiatedLogin: true,
+    enableRequestSigning: true,
+  });
+
+  // Save the clientId for use in the ThirdParty provider configuration
+  console.log("Client ID:", result.clientId);
+}
+
+```
+
+
+| Name                   | Type                | Description                                                                                                            | Required |
+| ------------------------ | --------------------- | ---------------------------------------------------------------------------------------------------------------------- | -------- |
+| `tenantId`               | `string`              | The unique identifier of the tenant for which the SAML client is being created or updated.                             | Yes      |
+| `clientId`               | `string`              | The unique identifier for the SAML client. If provided, updates the existing client; if omitted, creates a new client. | No       |
+| `clientSecret`           | `string`              | The secret key associated with the SAML client for authentication purposes.                                            | No       |
+| `redirectURIs`           | `string[]`            | An array of URIs where the user agent should be redirected after successful authentication.                            | Yes      |
+| `defaultRedirectURI`     | `string`              | The default URI to redirect to if no specific redirect URI is specified.                                               | Yes      |
+| `metadataXML`            | `string`              | The SAML metadata XML string containing configuration details for the Identity Provider.                               | Yes      |
+| `allowIDPInitiatedLogin` | `boolean`             | A flag indicating whether login requests initiated by the Identity Provider are allowed.                               | No       |
+| `enableRequestSigning`   | `boolean`             | A flag indicating whether SAML requests should be digitally signed for security.                                       | No       |
+| `userContext`            | `Record<string, any>` | An optional object containing additional context or metadata for the operation.                                        | No       |
+
+
+### 4. Configure your Identity Provider
+
+After creating the SAML client, you need to configure your Identity Provider with your application's Service Provider (SP) details.
+
+On the IDP side, configure the following properties:
+- **Entity ID**: Should match the `saml_sp_entity_id` value used in your [tenant configuration](/docs/authentication/enterprise/manage-tenants#update-a-tenant). The default value is `https://saml.supertokens.com`. 
+- **ACS URL** (Assertion Consumer Service URL): `<API_DOMAIN>/auth/<TENANT_ID>saml/callback`
+
+### 5. Add the ThirdParty provider
+
+Update your SuperTokens initialization to include the ThirdParty recipe with your SAML provider.
+The `thirdPartyId` must start with `saml-` followed by your custom identifier.
+
+```typescript
+import { SuperTokens } from "supertokens-node";
+import Saml from "supertokens-node/recipe/saml";
+import ThirdParty from "supertokens-node/recipe/thirdparty";
+
+SuperTokens.init({
+    supertokens: {
+        connectionURI: "<SUPERTOKENS_CONNECTION_URI>",
+        apiKey: "<SUPERTOKENS_API_KEY>",
+    },
+    appInfo: {
+        appName: "App name",
+        apiDomain: "<API_DOMAIN>",
+        websiteDomain: "<WEBSITE_DOMAIN>",
+    },
+    recipeList: [
+        Saml.init(),
+        ThirdParty.init({
+            signInAndUpFeature: {
+                providers: [
+                    {
+                        config: {
+                            // Name that will be shown on the login page
+                            name: "Azure SAML",
+                            // Must start with "saml-"
+                            thirdPartyId: "saml-azure",
+                            clients: [
+                                {
+                                    // The clientId from step 3
+                                    clientId: "<CLIENT_ID>",
+                                },
+                            ],
+                        },
+                    }
+                ],
+            },
+        }),
+    ]
+});
+
+```
+
+
+## See also
+
+<ReferenceCard.Grid>
+  <ReferenceCard href="/docs/authentication/enterprise/common-domain-login" label="Implement common domain login" />
+  <ReferenceCard href="/docs/authentication/enterprise/subdomain-login" label="Implement subdomain login" />
+  <ReferenceCard href="/docs/authentication/enterprise/manage-tenants" label="Manage tenants" />
+  <ReferenceCard href="/docs/authentication/enterprise/manage-apps" label="Manage apps" />
+</ReferenceCard.Grid>

docs/authentication/enterprise/saml/_category_.json

@@ -175,9 +175,9 @@ Check the following code snippet to see how you can do that:
 curl -X POST ^{appInfo.apiDomain}^{appInfo.apiBasePath}/oauth/token \
 -H "Content-Type: application/json" \
 -d '{
-  "clientId": "<CLIENT_ID>",
-  "clientSecret": "<CLIENT_SECRET>",
-  "grantType": "client_credentials",
+  "client_id": "<CLIENT_ID>",
+  "client_secret": "<CLIENT_SECRET>",
+  "grant_type": "client_credentials",
   "scope": ["<RESOURCE_SCOPE>"],
   "audience": "<AUDIENCE>"
 }'
@@ -191,9 +191,9 @@ If the **Task Service** wants to create an event on the **Calendar Service**, a
 
 ```json
   {
-    "clientId": "<TASK_SERVICE_CLIENT_ID>",
-    "clientSecret": "<TASK_SERVICE_CLIENT_SECRET>",
-    "grantType": "client_credentials",
+    "client_id": "<TASK_SERVICE_CLIENT_ID>",
+    "client_secret": "<TASK_SERVICE_CLIENT_SECRET>",
+    "grant_type": "client_credentials",
     "scope": ["event.create"],
     "audience": "event"
   }
@@ -205,13 +205,13 @@ The **Authorization Server** returns a response that looks like this:
 
 ```json
 {
-    "accessToken": "<TOKEN_VALUE>",
-    "expiresIn": 3600
+    "access_token": "<TOKEN_VALUE>",
+    "expires_in": 3600
 }
 ```
 
-Save the `accessToken` in memory for use in the next step.
-The `expiresIn` field indicates how long the token is valid for.
+Save the `access_token` in memory for use in the next step.
+The `expires_in` field indicates how long the token is valid for.
 
 Each service that you communicate with needs its own token.
 

docs/authentication/enterprise/saml/overview.mdx

@@ -8,6 +8,7 @@ const NewPages = [
   "/docs/authentication/enterprise/tenant-discovery",
   "/docs/authentication/enterprise/tenant-management-plugin",
   "/docs/deployment/telemetry",
+  "/docs/authentication/enterprise/saml",
   "/docs/post-authentication/user-management/progressive-profiling",
   "/docs/post-authentication/user-management/profiling",
 ];