Protect Node-RED

Node-RED is flexible in how it accommodates authentication and authorization with OAuth, SAML, and OIDC.

Node-RED Admin can be protected with a login. This login can be activated during installation, or by modifying the settings.js file that is bundled with Node-RED. More conventionally, this can be achieved through adding a username and a password hash generated with Node-RED admin.

However, SAML (Security Assertion Markup Language), OAuth, and OIDC can also be used in conjunction with Node-RED to generate a secure login interface.

Node-RED can use strategies provided by passport (http://passportjs.org/). Node-RED also has authentication modules available for both Twitter and GitHub. These can be used as a template for similar OAuth-based authentication strategies. For more information, see https://nodered.org/docs/user-guide/runtime/securing-node-red.

What is SAML?

Security Assertion Markup Language (SAML) is an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP) (Auth0 by Okta. SAML Authentication, Explained). The identity provider performs authentication and passes the user’s identity, whilst the service provide trusts the identity provider, usually by certificate validation, and authorizes the given user to access the requested resource.

SAML vs OAuth vs OIDC

It is easy to confuse SAML with OAuth as they can both be used for Single Sign-On (SSO). SAML is an authentication process, while OAuth is an authorization process. SAML is user specific whilst OAuth tends to be application specific.

• SAML allows for users to be managed from a central location. One password unlocks all the services a user requires.

• With OAuth, a user typically needs to sign in to each application with the same OAuth identity provider.

• OIDC (OpenID Connect) is a strategy similar to SAML but, unlike SAML, it allows for data to be sent to a server via a HTTP redirect as well as posted directly.

Which method to choose?

Each method has pros and cons, and the best method for you depends on your installation, environment, and resources. SAML is more established but OIDC is more modern.

For more information, see the following topics:

• Node-RED OAuth authentication with GitHub

• Node-RED OIDC Authentication with Azure Active Directory

• SAML: single login strategy for Node-RED