Consume Saml Response from external identity provider

1
votes

I am having trouble configuring my application to consume the SAML response from an external identity provider (in this case, OneLogin). My application has a javascript (angular5) front-end and .NET back-end.

Here is our current work-flow when using our own identity provider and service provider.

  1. User navigates to our application in the browser and receives a 401 unauthorized when requesting resources from the API.
  2. User is redirected to the login page.
  3. User enters credentials which are posted to our server-side identity provider.
  4. If the user is authenticated, the identity provider returns a SAML response to the client.
  5. Client posts the SAML response to the service provider.
  6. Service provider returns the tokens needed to access the rest of the API.

Now a customer has requested we integrate their external identity provider using OneLogin. Here is what I understand to be the new workflow.

  1. User navigates to our application in the browser and receives a 401 unauthorized when requesting resources from the API.
  2. User is redirected to the OneLogin (external identity provider) page.
  3. User enters credentials which are authenticated by OneLogin.
  4. OneLogin will post to our provided service provider endpoint with the SAML response as Form Data in the HTTP Post.
  5. If post is successful the user will be redirected to any url provided when configuring OneLogin.
  6. ?????? (Our front-end still has no idea who the user is or whether or not they are authenticated).

Currently, all communication between our angular front-end (client) and .NET back-end (server) is initiated by the client. What I really need is for the client to receive that SAML response form data that is posted by OneLogin, so that I can initiate authorization with our service provider and receive the appropriate response in the client, but from what I understand I won't be able to consume the Form Data client side. I was hoping I could have the external identity provider redirect to a page on our front end and encode that saml response as a query parameter, but I am not seeing any way to do that.

I feel like there is something I am missing, but all the OneLogin examples seem to be the OneLogin identity provider communicating with a server side service provider and no mention of the client side. I could use some help better understanding what I need to do to accomplish my goal of informing the client that the user is authenticated and authorized.

1
javascriptsingle-sign-onsamlsaml-2.0onelogin
So there's a couple of options like component space and kentor it which have .net solutions. The IdP (One Login) should not ever communicate with your client (browser). Instead there should be communication with your server sp (.net backend) . see ssolloyd

1 Answers

2
votes

What you describe with OneLogin is the SAML2 Web Browser SSO profile. As you see, it's all done through the browser. The user gets redirected from the client to the IdP, where they login. The IdP then POSTs a SAMLResponse to your Attribute Consumer Service (ACS) URL at your back end. It's the ACS's job to decode the SAMLResponse and parse the SAML2 attributes contained within it. It can create a new session at that point if required.

At this point the back end now knows who the user is. So you can initiate another redirect to send the browser to another URL with a parameter that lets the client know it has to retrieve user details from the back end. Perhaps some sort of /sso?token=something URL. The client side can then ask the back end to return JSON perhaps that contains the user information referenced by token, i.e. a session of some sort the back end has created once the attributes have been verfied.