ComponentSpace

Forums



Newbie question for Angular web app with .NET Core 2 WebAPI backend


Newbie question for Angular web app with .NET Core 2 WebAPI backend

Author
Message
mphimfo
mphimfo
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 3, Visits: 54
Hi,
I have an Angular web app with a .NET Core 2 WebAPI backend.   Users will be authenticated by ADFS, which will issue a SAML token.   I'm unclear how to interface with ADFS -- directly from the browser/javascript, or via my .NET Core 2 WebAPI back end.   I prefer using the back end since I can potentially use the ComponentSpace "SAML V2.0 FOR ASP.NET CORE" component.   Please see included diagram.

So, my questions are:
1. Is this approach (as diagrammed) valid and reasonable?
2. If I use this approach, is there anything special I need to do when saving the SAML token to a cookie?

I appreciate any guidance.  Thanks.






ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I suggest taking a look at our SAML Primer to understand the flow.
https://www.componentspace.com/Forums/8237/SAML-v20-Primer
I want to make sure you understand that all messages between the identity provider (IdP) and service provider (SP) sites are sent via the browser. There's no direct communication (eg REST APIs) between the two sites.
Your backend application would act as the SP and ADFS would act as the IdP.
Please note that in SAML SSO, the SP never sends the IdP the user's password.
ADFS will prompt for the user's name and password.
What you're trying to do is certainly possible and we have customers successfully doing this.
However, if you don't have to use SAML to authenticate to ADFS, you might want to consider using OAuth or OIDC.
These protocols are available in the latest release of ADFS.

Regards
ComponentSpace Development
mphimfo
mphimfo
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 3, Visits: 54
ComponentSpace - 10/10/2018
I suggest taking a look at our SAML Primer to understand the flow.
https://www.componentspace.com/Forums/8237/SAML-v20-Primer
I want to make sure you understand that all messages between the identity provider (IdP) and service provider (SP) sites are sent via the browser. There's no direct communication (eg REST APIs) between the two sites.
Your backend application would act as the SP and ADFS would act as the IdP.
Please note that in SAML SSO, the SP never sends the IdP the user's password.
ADFS will prompt for the user's name and password.
What you're trying to do is certainly possible and we have customers successfully doing this.
However, if you don't have to use SAML to authenticate to ADFS, you might want to consider using OAuth or OIDC.
These protocols are available in the latest release of ADFS.

Thanks for the link to your primer... the best description I've seen! Unfortunately I do have to use SAML. Two more questions if you don't mind:

(1) Regarding communication through browser, thanks for clarifying that as it was not clear to me. Since I'm using Angular, the call to _samlServiceProvider.InitiateSsoAsync() would have to through an API call rather than the typical postback for WebForms, correct? That's why you stated "is certainly possible and we have customers successfully doing this"... not ideal, but possible, correct?

(2) For ADFS, does login always have to go through an ADFS web page to login, followed by a return to the SP? As I believe you could tell, I was trying to implement the login via API (since I have a login page in my app).

Thank you.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
1. _samlServiceProvider.InitiateSsoAsync will send a SAML authn request to the IdP. This is done by returning a 302 redirect HTTP response to the browser which then sends an HTTP Get to the IdP. The SAML authn request is encoded as a query string parameter.
Typically the IdP will prompt the user to login (ie enter their credentials and authenticate them). It will then send a SAML response back to the SP via the browser.
What this means is that you can't successfully kick this flow off from the browser with an AJAX call to a web API.
You need to be in your browser's main context (ie send an HTTP Get or Post to your backend app which then calls _samlServiceProvider.InitiateSsoAsync).

2. SAML doesn't support the SP supplying the user's password to the IdP. This would introduce a bunch of security risks and as a user you should be wary about entering your credentials for one site (ie the IdP) at another site (ie the SP).

Regards
ComponentSpace Development
mphimfo
mphimfo
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 3, Visits: 54
ComponentSpace - 10/10/2018
1. _samlServiceProvider.InitiateSsoAsync will send a SAML authn request to the IdP. This is done by returning a 302 redirect HTTP response to the browser which then sends an HTTP Get to the IdP. The SAML authn request is encoded as a query string parameter.
Typically the IdP will prompt the user to login (ie enter their credentials and authenticate them). It will then send a SAML response back to the SP via the browser.
What this means is that you can't successfully kick this flow off from the browser with an AJAX call to a web API.
You need to be in your browser's main context (ie send an HTTP Get or Post to your backend app which then calls _samlServiceProvider.InitiateSsoAsync).

2. SAML doesn't support the SP supplying the user's password to the IdP. This would introduce a bunch of security risks and as a user you should be wary about entering your credentials for one site (ie the IdP) at another site (ie the SP).

Got it.  Thank you!


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search