ADFS 2.0 and jsonp

1
votes

I have a main web-site that uses passive federation (ADFS 2.0) This website has javascript that calls out to an MVC Web API site using jsonp.

I am trying to get this WebAPI to participate in Single Sign On (same machine, different port). However the passive redirects break the jsonp. (The STS returns its own script which the browser renders and i never get to redirect to the real url for my response script)

Is passive federation compatible with a jsonp webapi? If not, how do I use Active Federation without username/password credentials? i.e. The user will be authenticated via the main website before calling the webapi, so how do I leverage the fact they are already logged in, in the webapi?

1
javascriptajaxjsonpadfs2.0adfs

1 Answers

1
votes

The passive federation protocol won't work in this scenario as you are experiencing.

You have two options:

  • If your web api is being exclusively used by your website you can share the cookie that is generated by WIF when the user authenticates. To do that, if you are using different websites you should configure the <cookieHandler> section on WIF configuration to use the same domain and path and use a FQDN (instead of machine names), so that the browser identify both the website and the API as the same domain.

  • The second option is to configure the Web API to extract and validate SAML tokens (being generated during authentication). What you would have to do here is to save the token that was used for authentication (turn on the saveBootstrapToken on the <service> element of the WIF configuration), get it by using the claimsIdentity.GetBootrapToken() extension method and attach the token on the JavaScript call as an HTTP header like "Authorization: bearer ...the-token....". On the server side you have to get that and validate the token (programatically). Note that you might hit a quota in IIS because of the header length if the token is too big.