Integrating Passive SAML Federation

Integrating Passive SAML Federation

Passive federation relies on a user agent (the device's web browser) to do most of the communication between the device and the SAML IdP. That said, you still need to know what URL to request and how to acquire the SAML assertion from the SAML IdP. The security benefit of passive federation is that the user never provides their SAML IdP credentials to your app.

The detailed passive federation workflow is presented in Introduction to SAML Login Integration.

Prerequisites

You need to make certain settings before you can successfully log in your app users through SAML authentication.

Getting SAML Metadata

You can use the GetSamlMetadata() method to read the app's SAML metadata from the Telerik Platform servers. The SamlMetadata class contains MetadataUrl (or MetadataXML) and Audience members that correspond to the settings that you configured for your app on the backend.

public async Task<SamlMetadata> GetSamlMetadata()
{
    return await this.everliveApp.WorkWith().Authentication().GetSamlMetadata().ExecuteAsync();
}

Preparing the Request URL

To request a SAML assertion from the SAML IdP you need to open the device's web browser and point it to the appropriate URL. This URL depends on the SAML IdP that you use. Consult its documentation for details.

Extracting the SAML Assertion

After the browser contacts the SAML IdP and performs authentication, the SAML IdP redirects the browser to the Telerik Platform Reply URL and posts the SAML token to it. The server logic behind the Reply URL URL-encodes the SAML response and redirects the user device browser to localhost appended with the access_token HTML parameter containing the SAML assertion. You need to parse the resulting URL to extract the SAML assertion from it.

The URL has the following format:

http://localhost?access_token=saml-assertion

Where saml-assertion is the URL-encoded SAML assertion.

Registering or Authenticating the User

After you obtain a SAML token from the SAML IdP, you can use the LoginWithSaml() method overload that accepts a URL-encoded SAML assertion.

On first invocation, LoginWithSaml registers the user. Consequent invocations for the same user authenticate the user.

On success, the method returns an object containing a Telerik Platform access token (not to be mistaken with the SAML assertion) that can be used with further Backend Services .NET SDK operations. In that, the LoginWithSaml() method behaves similarly to the Login() method.

public async Task<AccessToken> LoginUser(EverliveApp app, string token)
{
    return await app.WorkWith().Authentication().LoginWithSaml(token).ExecuteAsync();
}

See Also

Start a free trial Request a demo
Contact us: +1-888-365-2779
sales@telerik.com
Copyright © 2016-2017, Progress Software Corporation and/or its subsidiaries or affiliates. All rights reserved.