Hi, we’ve developed a web portal application that successfully receives the SAML response from the provider but are wondering how to effectively send the userName to a sub application? The sub app shares the same domain as the web portal application in the IIS.
I think the options include a shared cookie, shared session state, query string parameter or HTTP header. I don’t have any specific recommendations as it’s dependent on your business requirements etc.
Just make sure that the information is sent in a secure manner. Consider signing and encrypting the userName. Also, consider how to detect replay attacks.
Thanks for your response. We are considering using session state with the proper configuration. Just wanted to check to see if there was a SAML solution that could securely send it to the sub app.
The only SAML solution would be if the web portal application acted as a SAML proxy. In other words, it acted as a service provider to the external identity providers and an identity provider to the sub application internal service provider(s).
Upon receiving a SAML response from an external identity provider it would create and send a new SAML response containing the same userName etc to the sub application internal service provider.
However, using shared session state is probably a better and simpler solution.
Thanks for your response. One concern I have with setting up a shared session state is changing the portal app from “In proc” to SQL Server state. I thought the SAML configuration requires “In proc”?
Older versions of SAML for ASP.NET made use of the ASP.NET session to store SAML session state. It’s now stored separately.
We place no restrictions on where ASP.NET session state is stored, even in the older versions that make use of this.