I am having trouble configuring my application to consume the SAML response from an external identity provider (in this case, OneLogin). My application has a javascript (angular5) front-end and .NET back-end.
Here is our current work-flow when using our own identity provider and service provider.
- User navigates to our application in the browser and receives a 401 unauthorized when requesting resources from the API.
- User is redirected to the login page.
- User enters credentials which are posted to our server-side identity provider.
- If the user is authenticated, the identity provider returns a SAML response to the client.
- Client posts the SAML response to the service provider.
- Service provider returns the tokens needed to access the rest of the API.
Now a customer has requested we integrate their external identity provider using OneLogin. Here is what I understand to be the new workflow.
- User navigates to our application in the browser and receives a 401 unauthorized when requesting resources from the API.
- User is redirected to the OneLogin (external identity provider) page.
- User enters credentials which are authenticated by OneLogin.
- OneLogin will post to our provided service provider endpoint with the SAML response as Form Data in the HTTP Post.
- If post is successful the user will be redirected to any url provided when configuring OneLogin.
- ?????? (Our front-end still has no idea who the user is or whether or not they are authenticated).
Currently, all communication between our angular front-end (client) and .NET back-end (server) is initiated by the client. What I really need is for the client to receive that SAML response form data that is posted by OneLogin, so that I can initiate authorization with our service provider and receive the appropriate response in the client, but from what I understand I won't be able to consume the Form Data client side. I was hoping I could have the external identity provider redirect to a page on our front end and encode that saml response as a query parameter, but I am not seeing any way to do that.
I feel like there is something I am missing, but all the OneLogin examples seem to be the OneLogin identity provider communicating with a server side service provider and no mention of the client side. I could use some help better understanding what I need to do to accomplish my goal of informing the client that the user is authenticated and authorized.