Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

re-using a SAML token, client side for a JSON webservice - after logging in the website

I'm building a web site which is secured using a SAML token for single sign on. One of the forms has a lot of input fields, which should trigger updates and validation on the same, or other, input fields and table content.

The validation and updates are handles server side. An update of an a value on the form triggers javascript that notifies the server, using a WCF JSON web service. The service then returns new values and validation messages.

The problem is, the webs ervice should be secured and access should be granted, using the SAML token issued to the user by logging on to the website.

[Edit: more research done] After authenticating, the SAML token is always passed to the server in the form of a FedAuth cookie. Adding the token to the JSON (or ajax) Get header isn't needed. The problem is, i can't seem to let WIF handle the verification of the cookie. So I removed the fedarated authentication from the JSON service and will try to read the cookie, from HttpContext. Which works, but i can't get it decrypted.

Is there somebody with exprerience with this? Is there anyone with experience in this?

like image 670
Simon Smeets Avatar asked Feb 04 '12 10:02

Simon Smeets


People also ask

What is SAML tokens?

Security Assertions Markup Language (SAML) tokens are XML representations of claims. By default, SAML tokens Windows Communication Foundation (WCF) uses in federated security scenarios are issued tokens. SAML tokens carry statements that are sets of claims made by one entity about another entity.

Does SAML use JWT?

JSON Web Tokens (JWT) is a specification for a token that can be used in many applications or protocols - it happens that the OpenID Connect (OIDC) protocol uses the JWT. SAML also defines its own token: SAML Assertion; as does OAuth 2: Access Token.

Where is SAML token stored?

Ian, So just to confirm, the SAML token is NEVER stored in any form inside any (session or persistent) cookies; the only way it is stored is in URL cache.

Can SAML be used for authorization?

A Security Assertion Markup Language (SAML) authorization assertion contains proof that a certain user has been authorized to access a specified resource. Typically, such assertions are issued by a SAML Policy Decision Point (PDP) when a client requests access to a specified resource.


1 Answers

The token is not passed as a FedAuth cookie. That is generated by the website itself (by WIF really). The token is usually passed as a POST upon succesful authentication in the IdP.

If the web services are co-hosted in the same website, then it al "just works", thanks to WIF magic. The calls to the services will include the cookie and WIF will happily parse/verify it, and give you an IPrincipal (an IClaimsPrincipal).

like image 95
Eugenio Pace Avatar answered Nov 14 '22 23:11

Eugenio Pace