im trying to use saml for our sites login(react front-end and .net api backend) using ITFoxtec package. After logging in on SSO site, the assertion url is getting success message but throwing exception because the XML is empty.
I'm not sure what the problem is in your situation. The SAML 2.0 login and logout has to be handled by the backend .NET server and your React and API security is therefor handled by .NET.
Some info on the topic:
Nuget ITfoxtec SAML & Angular
How to redirect on backend for Angular application using Itfoxtec to access app through Azure Active Directory
Getting error Cannot POST in angular when redirected to call back url with SAML response
Nuget ITfoxtec SAML & Angular
AssertionUrl for AngularJS Application
I have a web app developed using Create-react-app
I host it on IIS, the IIS only response to load the app, there is no server side logic on it (no Express or any other web server)
The app is using a RESTful API on the same IIS, it is out of my control (I cannot make change).
Now one of my client request to add SAML SSO to our app.
I would like to know:
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
For my case, I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Could any one give me some React implement SAML SSO tutorial or article for reference?
Thanks for any help, any information or suggestion are welcome!
in normal situation, which one is the Service Provider? My IIS Web server? or the API service?
I assume the client wants to authenticate the users using their internal IdP. So your application is the SP. But you will have to define different token service (details below).
With SPA (a single-page-applications) I see the problem, in SAML the user is redirected or posted away from the SAML request and SAML response.
I have a login page to enter id/pw, post them to API server Login endpoint to authenticate and get back a JWT token. After that we use that token in API calls for authentication
The API services are using a JWT token issued based on the provided username/password. I'd recommend to extend the token service (or use a different service) to issue a JWT token based on the provided SAML response - a token swap service. In many OAuth implementations it's called SAML grant type.
I cannot implement SAML to API service, my web service only used to load my app without server side logic, how can I implement SAML?
Usually after the authentication the user is redirected or posted to the SAML ACS endpoint URL, where the server can create sort of session (cookie, parameters, token, ..) and the user is redirected to a URL returned the web page with the session information.
If you are using an SPA, you could use a popup window or SAML with redirect (not with post), where the page could read the SAML response parameters (assertion, signature, ..) and use them in the token swap service mentioned above.
When processing the SAML response, try to use some mature, known, out-of-box libraries, it's a security service and not doing it properly may cause security weaknesses. But you need to do that on the server side, as at the end you need the JWT token consumed by the APIs.
I need to integrate angular front end with spring boot backend (REST API's) with SAML 2.0 and my identity provider is keycloak.
I have used SAML2-js library to integrate with the front end, now how do I secure my backend spring rest apis with the saml assertion that I have received after successful login in the frontend. What I can get in front is nameID and session index. If anyone has integrated to secure the spring backend rest API using SAML please let me know any documentation or any write up on these.
Thanks!
What I have done for the above problem is I've used OIDC integration for login flow with 2 clients one for frontend with authorization code flow and another client with bearer only for my backend to secure the REST APIs.
For providing SSO with SAML 2.0 I have used identity brokering from Keycloak which provides seamless SSO.
We have a web application where the appThe lication is downloaded to the client using appcache and runnig int the client. It gets data into to via ajax calls. What it differes from the rest it we do not have a web server but the whole application is downloaded to the client is via an unauthenticated API call (via middleware server). Once the pages are downloaded to th client the login page is loaded and upon successful authentication the client will get a token for the session.
Now we want to secure this with SAML. But since we do not have a web server per say there is no way we can specify a URL (ACS) to redirect in SAML.
How do people implement SAML in this type of scenarios?
SAML only works through browser redirects.
You also have to have an IDP that supports SAML 2.0 e.g. ADFS.
The interaction is between the SAML application and the IDP. There is no 3rd party.
SAML is not ideal for mobile. OpenID Connect is a better choice. Either way, you have to add a client-side stack that supports the protocol to your application.
Also, SAML does not have a web API flow. OIDC does.
I'm trying to implement WebSocket support with Angular+SockJs on front-end, and Spring on backend. We are using Spring Security with OAuth 2.0 token based authorization.
Spec tell us that i should pass token via STOMP client at connect time and use Interceptor on backend to provide Principal. But i don't like this approach because i need to copy logic from Security configuration to get Principal from Token.
Is it possible to catch SockJs request in Angular Interceptor and add Authentication header?