10

I need to access data by making a GET call but the resource is protected by Single Sign On. I have the URI end-point, and Single Sign on credentials. I started off with making ajax request using XMLHttpRequest() but got this:

blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

As I don't have access to the server, and thus can't set the 'Access-Control-Allow-Origin' to true, I decided to move to making calls using Python requests library with Flask backend. I tried to pass user credentials along with the GET request like this:

headers = {'accept': 'application/json;odata=verbose'}
r = requests.get(url, auth=HTTPBasicAuth(userid, password), headers=headers)
print r.status_code #prints 403
print r.content #prints 403 forbidden

Is there any way to access such a resource ? Please note that SSO is configured using SAML 2.0

UPDATE: After following up with the link suggested by giaco, I am now able to programmatically login to SSO. Atleast, I think so.. (the HTML returned by s.post(..) actually still has 403 forbidden code-- but when I hit the url in browser, it redirects to logged in page) However, when I send the GET request, I am again getting 403 FORBIDDEN message. Below is the updated code:

payload = {
    'UserName': username,
    'Password': password
    }
    print "configured payload" #successfully printed on console

    with requests.Session() as s:
        p = s.post("my_sso_url", data=payload)
        # print the html returned or something more intelligent to see if it's a successful login page.
        print p.text #Successfully printing the html code of an interstetial page which later redirects to logged-in page

        # An authorised request.

        r = s.get('secure web page url') #<------Line A
        print "sent get request" # gets printed on console
        print r.text # prints 403 FORBIDDEN

UPDATE 2: So, I manually logged-in to SSO and then made the GET request on "Line A" in the code and still got 403 Forbidden. I may be wrong, but I believe it has something to do with the cookies i.e. maybe I need to pass some more info while making the GET request on Line A. Any pointers/tips/help is much appreciated !

UPDATE 3: Found kind-of similar implementation in C# using CA SSO. My server implements OASIS SAML though. Here is the link: HTTP request from a C# desktop application to a Siteminder-protected server If anyone can please help me in translating C# code to python or provide any tips/pointers - it'll be a huge help ! Currently, I am having trouble with setting autoredirect to false in Python - applied the solution from How do I prevent Python's urllib(2) from following a redirect but still getting 403 FORBIDDEN message.

Vimanyu
  • 625
  • 2
  • 9
  • 24
  • Did you try with session https://stackoverflow.com/a/17633072/6555866? – Jan Giacomelli Jun 09 '17 at 20:40
  • Tried that but unable to decide what should be the "LOGIN_URL" in p = s.post('LOGIN_URL', data=payload) as this url is actually a redirect and contains various things like client_id, resource_id and nonce, and nonce keeps on changing everytime. – Vimanyu Jun 09 '17 at 22:22
  • Getting error: UnicodeEncodeError: 'charmap' codec can't encode character u'\u2019' in position 13774: character maps to in print p.text – Vimanyu Jun 09 '17 at 22:26
  • Okay ! So, after some trials, I figured out the correct "LOGIN_URL" , and I am now able to login to sso !! but when I send the GET request, I am getting 403 FORBIDDEN. Writing the update in question. – Vimanyu Jun 09 '17 at 23:14
  • Looks like the `HTTPBasicAuth` is not passing correct parms; are you sure the `userid` & `password` are valid? – pstatix Jun 10 '17 at 00:15
  • @pstatix - Actually, I found out that SAML 2.0 doesn't use HTTPBasicAuth. userid and password are correct - I use them to login everytime. – Vimanyu Jun 10 '17 at 01:04

0 Answers0