I have been following the ExampleAngularSpa example (which also uses ExampleWebApi) that comes with SAML for .NET Core. This is similar to the architecture of my existing app to which I hope to add SAML SSO.
I was able to successfully run the example and understand the following steps that occur when signing in:
- User navigates to SPA app (is not authenticated)
- User clicks the sign in link
- User is taken to the 'InitiateSingleSignOn' path of ExampleWebApi and sign in is initiated
- User is redirected to IDP for authentication
- Once authenticated, a POST is made back to the ACS URL of ExampleWebApi
- ACS creates a JWT token and redirect user back to SPA app (via relay state)
At this point the user is signed in, as indicated by a token passed in the URL upon redirect. However, this token will expire before long (30 minutes for example.) After expiration, the SPA app needs to somehow get a new token. I would think at this point, the SSO session should be reauthenticated, otherwise the front end will be able to create new tokens indefinitely (not secure.)
My question is - what is the recommended approach for doing this, without disrupting the SPA state? I know I could always redirect the user the 'InitiateSingleSignOn' URL again, and redirect back to the SPA, but this is very disruptive, especially in a SPA app where the current page should never really change. Is there a way (perhaps through ajax/API call) to ensure there is a valid SSO session, even if not initiating an actual sign in?
Any help/insight would be appreciated!