Maintaining Sessions with API/JWT


I have been following the ExampleAngularSpa example (which also uses ExampleWebApi) that comes with SAML for .NET Core. This is similar to the architecture of my existing app to which I hope to add SAML SSO.

I was able to successfully run the example and understand the following steps that occur when signing in:

  1. User navigates to SPA app (is not authenticated)
  2. User clicks the sign in link
  3. User is taken to the ‘InitiateSingleSignOn’ path of ExampleWebApi and sign in is initiated
  4. User is redirected to IDP for authentication
  5. Once authenticated, a POST is made back to the ACS URL of ExampleWebApi
  6. ACS creates a JWT token and redirect user back to SPA app (via relay state)
At this point the user is signed in, as indicated by a token passed in the URL upon redirect. However, this token will expire before long (30 minutes for example.) After expiration, the SPA app needs to somehow get a new token. I would think at this point, the SSO session should be reauthenticated, otherwise the front end will be able to create new tokens indefinitely (not secure.)

My question is - what is the recommended approach for doing this, without disrupting the SPA state? I know I could always redirect the user the ‘InitiateSingleSignOn’ URL again, and redirect back to the SPA, but this is very disruptive, especially in a SPA app where the current page should never really change. Is there a way (perhaps through ajax/API call) to ensure there is a valid SSO session, even if not initiating an actual sign in?

Any help/insight would be appreciated!


The SAML specification doesn’t include a mechanism for checking whether the SSO session is still valid. If the session at the SP has expired, the only thing that can be done is to initiate SSO to the IdP again. If the session at the IdP is still current, the user won’t be prompted to login and a new SAML assertion will be returned to the SP. If the session at the IdP has expired, the user will be prompted to login again before a new SAML assertion is returned. Unfortunately there isn’t a way to check with the IdP whether the session is still current or to somehow refresh this session.