Creating an app

For use with a Node.js app with the Single Sign On service.

You must have the developer role to perform all application tasks.

Create these apps in ExchangeAware Identity Panel.

After creating an app, bind it to the service.

Binding an app to the service

To make single sign-on authentication available to your applications, bind them to the single sign-on service.

To bind an app to the service:

  1. Log in to ExchangeAware.
  2. Select the application that you want to bind. From the ExchangeAware dashboard, click BIND A SERVICE.
  3. Select the single sign-on service from the list and click ADD.
  4. Select the service.
  5. Click INTEGRATE.
  6. Review the URL for your application that consumes the authentication tokens and retrieves the user profile.
  7. Enter a display name for the application.
  8. Select the identity sources that you want to be available in your application. The identity sources are the types of logins that your users can choose from to log in to your application.
  9. Click Save.
  10. If you are binding a Node.js app, click the link to download the module. Then, extract the module file into a new directory that you create as follows:
    1. Locate the node_modules directory of your application.
    2. Create a subdirectory named passport-idaas-openidconnect in the node_modules directory.
    3. Extract the Node.js module in the passport-idaas-openidconnect directory.
  11. Continue with the steps for configuring the application.

Note: If you receive an error message when you bind an application, try the bind operation again. For example, you might see an error such as Service broker error: “This application type is not supported.” The error might result because the bind operation was attempted soon after the application was created. Try the bind operation again later.

Configuring a Node.js app

To use your Node.js app with the Single Sign On service, you must make some modifications to its code.

Before you begin, ensure that you:

  1. Downloaded the Node.js module from the Configure Application panel as described in Binding an app to the service.
  2. Created a directory named passport-idaas-openidconnect in the node_modules directory.
  3. Extracted the Node.js module file in the passport-idaas-openidconnect directory.

To configure a Node.js app:

  1. Run the following command in the directory for your application:

npm install passport

  1. Copy the following code and paste it below any other require statements in your application.

var passport = require(‘passport’);

var OpenIDConnectStrategy = require(‘passport-idaas-openidconnect’).IDaaSOIDCStrategy;

  1. Copy the following code.


app.use(express.session({ secret: ‘keyboard cat’ }));




passport.serializeUser(function(user, done) {

done(null, user);



passport.deserializeUser(function(obj, done) {

done(null, obj);



// VCAP_SERVICES contains all the credentials of services bound to

// this application. For details of its content, please refer to

// the document or sample of each service.

var services = JSON.parse(process.env.VCAP_SERVICES || “{}”);

var ssoConfig = services.SingleSignOn[0];

var client_id = ssoConfig.credentials.clientId;

var client_secret = ssoConfig.credentials.secret;

var authorization_url = ssoConfig.credentials.authorizationEndpointUrl;

var token_url = ssoConfig.credentials.tokenEndpointUrl;

var issuer_id = ssoConfig.credentials.issuerIdentifier;

var callback_url = PUT_CALLBACK_URL_HERE;


var OpenIDConnectStrategy = require(‘passport-idaas-openidconnect’).IDaaSOIDCStrategy;

var Strategy = new OpenIDConnectStrategy({

authorizationURL : authorization_url,

tokenURL : token_url,

clientID : client_id,

scope: ‘openid’,

response_type: ‘code’,

clientSecret : client_secret,

callbackURL : callback_url,

skipUserProfile: true,

issuer: issuer_id},

function(accessToken, refreshToken, profile, done) {

process.nextTick(function() {

profile.accessToken = accessToken;

profile.refreshToken = refreshToken;

done(null, profile);





app.get(‘/login’, passport.authenticate(‘openidconnect’, {}));


function ensureAuthenticated(req, res, next) {

if(!req.isAuthenticated()) {

req.session.originalUrl = req.originalUrl;


} else {

return next();



  1. Paste the code in your app.js file after the require statement and between the lines ‘var app = express()’ and ‘app.use(app.router)’.
  2. In the code you pasted, locate the text that says PUT_CALLBACK_URL_HERE.
  3. Replace that text with the callback URL.
  4. Write code for your callback URL to specify what the app does after a user logs in.

Use this example callback code as a guide:

app.get(‘/auth/sso/callback’,function(req,res,next) {


successRedirect: ‘/hello’,

failureRedirect: ‘/failure’,



In the example, after users successfully log in, they are directed to the /hello page. See the example /hello page that is provided. The ensureAuthenticated callback in the example requires unauthenticated users to log in using single sign-on, but displays the requested page to authenticated users.

If users are unauthenticated when they access the page, they are directed to the login page. If they are authenticated, then the page is displayed.

‘Hello, USER_NAME!’

USER_NAME is replaced with the user’s name.

app.get(‘/hello’, ensureAuthenticated, function(req, res) {

res.send(‘Hello, ‘+ req.user[‘id’] + ‘!’);


If the login fails, users are directed to the /failure page.

app.get(‘/failure’, function(req, res) {

res.send(‘login failed’); });

The path to the resource that was originally requested is stored in the req.session.originalUrl property. The example shows a callback function that redirects users to the page they originally requested before they logged in.

app.get(‘/auth/sso/callback’,function(req,res,next) {

var redirect_url = req.session.originalUrl;

passport.authenticate(‘openidconnect’, {

successRedirect: redirect_url,

failureRedirect: ‘/failure’,



  1. For each page that requires authentication, add the ensureAuthenticated callback in the app.get functions.
  2. Save the files.

Deploying the app

After you bind and configure your app to use the Single Sign On service, you must redeploy it.

The steps that follow show one way to deploy. For more information, see the App Deployment guide in the Support Center

  1. Log in to ExchangeAware.
  2. Run the following command from the command line interface:

$ cf push appname

Replace appname with the name of your application.

The application is now bound to the service and is ready to use.