I'm building a web site which is secured using a SAML token for single sign on. One of the forms has a lot of input fields, which should trigger updates and validation on the same, or other, input fields and table content.
The validation and updates are handles server side. An update of an a value on the form triggers javascript that notifies the server, using a WCF JSON web service. The service then returns new values and validation messages.
The problem is, the webs ervice should be secured and access should be granted, using the SAML token issued to the user by logging on to the website.
[Edit: more research done] After authenticating, the SAML token is always passed to the server in the form of a FedAuth cookie. Adding the token to the JSON (or ajax) Get header isn't needed. The problem is, i can't seem to let WIF handle the verification of the cookie. So I removed the fedarated authentication from the JSON service and will try to read the cookie, from HttpContext. Which works, but i can't get it decrypted.
Is there somebody with exprerience with this? Is there anyone with experience in this?
Security Assertions Markup Language (SAML) tokens are XML representations of claims. By default, SAML tokens Windows Communication Foundation (WCF) uses in federated security scenarios are issued tokens. SAML tokens carry statements that are sets of claims made by one entity about another entity.
JSON Web Tokens (JWT) is a specification for a token that can be used in many applications or protocols - it happens that the OpenID Connect (OIDC) protocol uses the JWT. SAML also defines its own token: SAML Assertion; as does OAuth 2: Access Token.
Ian, So just to confirm, the SAML token is NEVER stored in any form inside any (session or persistent) cookies; the only way it is stored is in URL cache.
A Security Assertion Markup Language (SAML) authorization assertion contains proof that a certain user has been authorized to access a specified resource. Typically, such assertions are issued by a SAML Policy Decision Point (PDP) when a client requests access to a specified resource.
The token is not passed as a FedAuth cookie. That is generated by the website itself (by WIF really). The token is usually passed as a POST upon succesful authentication in the IdP.
If the web services are co-hosted in the same website, then it al "just works", thanks to WIF magic. The calls to the services will include the cookie and WIF will happily parse/verify it, and give you an IPrincipal (an IClaimsPrincipal).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With