Hello,
I have an Angular app which I want to be used as the authentication page when any SP tries to authenticate. There’s no implementation for Angular to use to receive SAML requests and initiate assertions through ComponentSpace. Therefore, is it possible for the frontend application to communicate to a Web API that could be then used to deal with SAML protocol? Or would we have to do something redundant as having another web application in the background as an IdP?
We ship an Angular app and the ExampleWebApi ASP.NET Core app which handles the SSO but it’s acting as the SP rather than the IdP.
I recommend delegating the SSO handling to the backend application which would act as the IdP. The Angular app would be responsible for prompting the user to login.
How you handle the flow between the frontend and backend apps is up to you but it might not be web API calls. Remember that SAML SSO is a browser based protocol with all SAML messages between the SP and IdP sites sent via the browser. A web API call might disrupt this flow.
If you take the common scenario of SP-initiated SSO, the flow would be something like:
1. Backend calls _samlIdentityProvider.ReceiveSsoAsync to receive and process the SAML authn request from the SP.
2. Backend determines there’s no local authentication session and redirects the user to the frontend for login.
3. User is prompted to login and control is returned to the backend.
4. User is authenticated.
5. Backend calls _samlIdentityProvider.SendSsoAsync to create and send a SAML response to the SP.
[quote][/quote]
We ship an Angular app and the ExampleWebApi ASP.NET Core app which handles the SSO but it's acting as the SP rather than the IdP.
I recommend delegating the SSO handling to the backend application which would act as the IdP. The Angular app would be responsible for prompting the user to login.
How you handle the flow between the frontend and backend apps is up to you but it might not be web API calls. Remember that SAML SSO is a browser based protocol with all SAML messages between the SP and IdP sites sent via the browser. A web API call might disrupt this flow.
If you take the common scenario of SP-initiated SSO, the flow would be something like:
1. Backend calls _samlIdentityProvider.ReceiveSsoAsync to receive and process the SAML authn request from the SP.
2. Backend determines there's no local authentication session and redirects the user to the frontend for login.
3. User is prompted to login and control is returned to the backend.
4. User is authenticated.
5. Backend calls _samlIdentityProvider.SendSsoAsync to create and send a SAML response to the SP.
I recommend delegating the SSO handling to the backend application which would act as the IdP. The Angular app would be responsible for prompting the user to login.
How you handle the flow between the frontend and backend apps is up to you but it might not be web API calls. Remember that SAML SSO is a browser based protocol with all SAML messages between the SP and IdP sites sent via the browser. A web API call might disrupt this flow.
If you take the common scenario of SP-initiated SSO, the flow would be something like:
1. Backend calls _samlIdentityProvider.ReceiveSsoAsync to receive and process the SAML authn request from the SP.
2. Backend determines there's no local authentication session and redirects the user to the frontend for login.
3. User is prompted to login and control is returned to the backend.
4. User is authenticated.
5. Backend calls _samlIdentityProvider.SendSsoAsync to create and send a SAML response to the SP.
How exactly would step #3 be implemented?
I’m not sure exactly what the OP had in mind regarding the authentication page.
Presumably the Angular app prompts for the username and password and then securely sends these to the backend app for authentication.
However, it’s up to you and doesn’t directly affect the SSO.