Hi !

We have a web application (JSP in fact) that implements SAML (web profile). We also have a REST (HTTP API) service that is consumed by a C# desktop application. The goal would be to consume REST service (from desktop app) using SAML instead of basic HTTP credentials. I am not an expect of SAML, but if I understand well, the identity provider has to redirect the user to a login page, before generating a SAML token to be used further in the REST calls. It looks quite complex to implement ourself without deep knowledge of SAML.

How can we achieve this ? What SAML profile is the best in such situation ? Is your product making this easier ?

Thank you very much for your answer :slight_smile:

Grumpy Cat

The SAML SSO profiles defined in the SAML specification are primarily intended for browser-based SSO. This means that SAML messages sent between the identity provider (IdP) and service provider (SP) are not sent directly but rather are sent via the browser. A desktop application calling a REST API may not easily fit this model.
Is the JSP web application the IdP or SP?
Where does the user log in? Is it just their desktop login or do they have to login at a web site?
Do you want to include a SAML assertion security token in the REST API calls made by the desktop application?
Could you expand on how you would like the flow to work?

Hi, thanx for your reaction !

I understand the SAML is basically made for browser, however we possibly could implement some other SAML profile than web browser profile, if it helps reaching our goal. As you say, I also think it will be hard to fit a REST API like this. However we have the possibility to use a WebBrowser widget (that exists in C# WPF) to display some HTML stuff, if it helps. Typically when the redirection to IdP happens, the login page of the IdP could be shown in a WebBrowser widget I guess.

The JSP application is of course the SP. The IdP used can be OneLogin, but some customers use different IdP, so ideally we should be compliant with them all… Not easy I guess…

At the moment there is a credentials setting in the WPF desktop application, but we could consider showing the login in a WebBrowser widget if it helps for SAML.

Indeed I was thinking that best is to include the security token in every REST call. However I am afraid getting this token might be hard. If we login in a WebBrowser widget, the token is in the browser, not in the WPF app.

I am not sure I have enough SAML knowledge to expand how I would like to implement the flow. I am more wondering what possibilities are. At a certain point we considered doing all the login process in a WebBrowser and then getting the SAML token to include it in our HTTP GET requests, but it looks impossible to steal the token from the web browser in the C# code. So we don’t have answer on this point yet.

Kind regards

Grumpy Cat

I suggest taking a look at section 10.1 of our Developer Guide which describes building, deploying and running the ExampleIdentityProvider and ExampleServiceProvider projects. A good idea would be to record the HTTP traffic using something like Fiddler. That way you can see the SAML message flow and what the WebBrowser widget and your application would need to support.