desktop client application for SSO using SAML

Question

I need to write a desktop based client application which does some web service method calls to a SharePoint server, after doing a SAML based SSO authentication.

I found that SAML SSO is mostly used from the browser which takes care of all the details. According to this question, it seems there is a technology in SAML 2.0 called ECP just for enabling non browser based clients.

Yet some applications like SharePoint 2010/2013 only support SAML 1.1; what can be used in this case?

Answer 1

You haven't mentioned technology - i can share my experience. We're required to have a SSO in the desktop application (WPF) that is using the WCF services. I have started with infomation from this link. The solution is to use WIF for retrieving the SAML token from identity provider and using it to establish the connection to our backend server.

1. To obtain the token

   WSTrustChannelFactory GetTrustFactory()
   {
       var binding = new WS2007HttpBinding(TrustChannelBindingConfiguration);
       return new WSTrustChannelFactory(binding, StServiceUri);
   }
   
   SecurityToken GetTokenFromSts()
   {
       using (var trustFactory = GetTrustFactory())
       {
           // here is the code to set trustFactory.Credentials
           trustFactory.TrustVersion = TrustVersion.WSTrust13;
           var rst = new RequestSecurityToken
                     {
                         RequestType = RequestTypes.Issue,
                         AppliesTo = new EndpointReference(YourServiceUri),
                         KeyType = KeyTypes.Bearer
                     };
   
           var channel = (WSTrustChannel) trustFactory.CreateChannel();
           try
           {
               return channel.Issue(rst);
           }
           catch (MessageSecurityException msex)
           {
               channel.Abort();
               throw new EMException(msex.InnerException.Message, msex);
           }
       }
   }
   

2. Then the obtained token is used in service calls:

   securityToken = GetToken();
   
       // 2. Create a channel with issued token to YourServiceInterface
       // create binding and turn off sessions
       var binding = new WS2007FederationHttpBinding(FederationBinding);
   
       try
       {
           var factory = new ChannelFactory<YourServiceInterface>(binding,
                             new EndpointAddress(YourServiceUri));
   
           factory.Credentials.SupportInteractive = false;
   
           var channel = factory.CreateChannelWithIssuedToken(securityToken);
   
           // 3. Call YourMethod() on secured channel
           return channel.YourMethod();
   }
   catch {...}
   

The main approach from the link hasn't been really changed - we just added token caching and incorporated this code in our channel handling framework. The code is used to authenticate desktop client against ADFS server and use claims in our backend server for authorizations.