.NET Desktop (Non-web) application using SAML 2.0 SSO with a Kerberos Token

Question

I've been reading a lot about that, in order to implement this for a customer. I am 100% certain I am misunderstanding something, because things just don't make sense in my mind right now.

Our customer wants to add, in an application we are making, an SSO feature. The idea is that on launch, when the program is installed on one of their customers, the application would validate the user's identity using SSO to figure out if they are allowed to run it.

The customer has an endpoint, on an intranet, that is supposed to respond to our SAML Request with a list of roles that the user has, that we check against a static list of authorized roles to know if this person has the correct permissions.

We are supposed to use a Kerberos Token. Now every single page I check online seems to say a different thing about that part. At first, I thought I had to somehow obtain that Token and add it somewhere in the SAML POST Request.

Then, when googling how to obtain the Token, I get more and more results saying that I don't have to, that it is done automatically, and that the endpoint knows "who" is calling.

Furthermore, most websites are assuming that the caller (my application) is a Web Application, and have many steps of the tutorial playing with the Web.Config and the Servers, both of which I don't have.

Since everything I try seems to fail, and since I don't have control over the endpoint to check how it works or what is goind wrong (I only get error codes), I am completely lost.

So this question is about setting the record straight.

My application is not Web-based, I do not make, or see, the Endpoint that responds to my requests.

The application runs in a Citrix Environment, and has to talk to the endpoint on an Intranet. I am not on this intranet myself, we log in to Citrix from a remote location for testing purposes.

Do I have to get the Kerberos Token in my code explicitly, and if so, how (Every method I've seen doesn't work for me).

Do I have to send the Token inside the SAML 2.0 POST Request, and if so where does it fit in the SAML structure?

Answer 1

This question is unanswerable. We cannot see into your application, their intranet, or any of the traffic sent across the wire.

Many applications rely on Windows for Kerberos authentication (more specifically Negotiate), and Windows generally does this transparently. In passive, browser-based scenarios the web server will prompt with a 401 error code and a "WWW-Authenticate: Negotiate" header, which the browser understands, and automatically responds with a token.

In active, application-based scenarios, the web service might respond with the same error code, but this is often negotiated ahead of time, and the application knows to manually request a ticket from Windows. Some development frameworks like .NET are designed to also do this automatically for you in many cases.

None of this has anything to do with SAML, but the flow of tokens is basically the same, with the caveat that there's an extra hop where a Kerberos ticket is exchanged for the SAML token. This extra hop is undefined, and is up to a developer to figure out, but can certainly just be a request header when doing the SAMLRequest.