auth

Implementing SAML SSO for Enterprise B2B Applications

Alex Thompson19 min1 Mar 2024
  <h2>What is SAML SSO?</h2>
  <p>SAML (Security Assertion Markup Language) is the standard for enterprise Single Sign-On. It allows employees to use their company credentials to access third-party applications.</p>
  
  <h2>Why SAML for B2B?</h2>
  <p>Enterprise customers expect SAML SSO:</p>
  <ul>
    <li>Centralized user management (IT controls access)</li>
    <li>Compliance requirements (SOC 2, ISO 27001)</li>
    <li>Better security (no password sharing)</li>
    <li>Improved UX (one login for all apps)</li>
  </ul>
  
  <h2>SAML Flow</h2>
  <p>SAML uses XML-based assertions to exchange authentication data:</p>
  <ol>
    <li>User tries to access your app</li>
    <li>App redirects to customer's Identity Provider (IdP)</li>
    <li>User logs in at IdP</li>
    <li>IdP sends SAML assertion to your app</li>
    <li>App validates assertion and creates session</li>
  </ol>
  
  <h2>Implementing SAML in Next.js</h2>
  <pre><code>// Install SAML library

npm install passport-saml

// Configure SAML strategy import { Strategy as SamlStrategy } from 'passport-saml';

const samlStrategy = new SamlStrategy({ entryPoint: 'https://customer-idp.com/sso', issuer: 'your-app-entity-id', callbackUrl: 'https://yourapp.com/auth/saml/callback', cert: customerCertificate, // From IdP metadata }, async (profile, done) => { // Find or create user const user = await User.findOneAndUpdate( { email: profile.email }, { email: profile.email, name: profile.displayName, samlNameId: profile.nameID, }, { upsert: true, new: true } );

done(null, user); });

  <h2>Multi-Tenant SAML</h2>
  <p>Each enterprise customer has their own IdP configuration:</p>
  <pre><code>// Store SAML configs per tenant

const samlConfig = await SAMLConfig.findOne({ tenantId });

const strategy = new SamlStrategy({ entryPoint: samlConfig.entryPoint, issuer: samlConfig.issuer, cert: samlConfig.certificate, // ... other config });

  <h2>Metadata Exchange</h2>
  <p>SAML requires metadata exchange between your app (SP) and customer's IdP:</p>
  <pre><code>// Generate SP metadata

export function generateSPMetadata() { return <?xml version="1.0"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="your-app-entity-id"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://yourapp.com/auth/saml/callback" index="0"/> </SPSSODescriptor> </EntityDescriptor>; }

  <h2>Testing SAML</h2>
  <p>Use SAML test IdPs for development:</p>
  <ul>
    <li>OneLogin SAML Test Connector</li>
    <li>Okta Developer Edition</li>
    <li>Auth0 SAML IdP</li>
  </ul>
  
  <h2>Conclusion</h2>
  <p>SAML SSO is essential for B2B SaaS. While complex to implement, it's required for enterprise customers. Use a library like passport-saml, support multi-tenant configuration, and provide clear setup documentation for customers' IT teams.</p>
About the Author
Alex Thompson
Alex Thompson

Senior Frontend Engineer

10+ years in frontend development, contributed to Auth.js and NextAuth

Senior Frontend Engineer with 10+ years of experience building production applications. Specializes in React, Next.js, and authentication systems for EU-compliant applications.

Expertise:
ReactNext.jsTypeScriptAuthenticationOAuthGDPR Compliance

Get notified of updates

Subscribe to receive an email when this article is updated with new information.

We'll only email you about updates to this specific article. Unsubscribe anytime.
Share this article
TwitterLinkedInFacebookEmail

Tagged with

samlssosingle-sign-onenterpriseb2bauthenticationidentity-provider

Related Articles

View all Auth
Zero Trust Architecture for Modern Web Applications
Zero Trust Architecture for Modern Web Applications

Implement zero trust security principles in your web application. Learn continuous verification, least privilege access, and micro-segmentation.

14 min read
API Key Management and Rotation Strategies
API Key Management and Rotation Strategies

Learn how to securely manage, rotate, and protect API keys in production. Includes key generation, storage, and automated rotation strategies.

13 min read
Secure Session Management in Next.js with Redis
Secure Session Management in Next.js with Redis

Best practices for managing user sessions securely in Next.js using Redis. Covers session storage, rotation, and security hardening.

17 min read
Social Login Integration: Google, GitHub, and Microsoft
Social Login Integration: Google, GitHub, and Microsoft

Complete guide to integrating social login providers with GDPR-compliant consent flows. Includes OAuth setup for Google, GitHub, and Microsoft.

14 min read
Passwordless Authentication: The Future of Login
Passwordless Authentication: The Future of Login

Explore passwordless authentication with magic links, WebAuthn, and biometrics. Learn how to implement secure, user-friendly login without passwords.

16 min read
Implementing Multi-Factor Authentication in Next.js 14
Implementing Multi-Factor Authentication in Next.js 14

Step-by-step guide to adding MFA to your Next.js application with SMS, email, and authenticator app support. Includes code examples and security best practices.

18 min read