1

The flow of my application is that,

  1. User enter the Url and AngularJS Login page is displayed
  2. User click on Login with SAML and calls the Web API endpoint which returns the SAML login URL
  3. AngularJS UI receives the SAML Login URL and redirects the user to the Idp Login screen
  4. User is authenticated from Idp and Idp calls the AssertionUrl

The issue starts here,

  1. If I create an Assertion Url on Web API and validates the request then how the AngularJS UI will know that Login was successful or not?

In the case of MVC and Web Forms, it is pretty straightforward but what should be done in the case of AngularJS/Angular SPA?

Edit 1:

Login Flow

SPA -> API -> SPA -> Idp

(SPA calls API, API generate SAML Request and Returns it to SPA, SPA then is redirected to Idp)

Assertion Flow

Idp -> API ? SPA

(Idp calls the AssertionUrl in the API and API generates the JWT but how it will be sent to SPA?)

Adnan Yaseen
  • 833
  • 1
  • 15
  • 44

2 Answers2

1

In a AngularJS/Angular SPA you have two possible solution to handle the subsequently user session after successfully SAML 2.0 authentication.

  1. Use a cookie like in ASP.NET MVC. Where you have to restrict the cookie to make it secure in a SPA. It require your API and SPA to be on the same domain.

  2. Create a JWT access token after successfully login. Which is handed to the SPA and validated in each API call in the backen API code.

You can create a JWT access token with the ITfoxtec.Identity package. By calling the JwtHandler.CreateToken method https://github.com/ITfoxtec/ITfoxtec.Identity/blob/master/src/Tokens/JwtHandler.cs#L38.

Edit 1

All communication between SPA, IdP and API is either redirect or post through the client browser.

After successful authentication in the assertion flow. The API can redirect to the SPA with the access token in a query or fragment in the URL

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 1
    Yes, the intention is to create the JWT token and use it. But the AssertionUrl on the API and Idp calls this on successful login. The API will create the JWT token but how the SPA will receive the token? See the Edit 1 in the question and many thanks for your kind help. – Adnan Yaseen Mar 25 '21 at 10:47
0

In Angular, create a component (Token component) and create a route (like /token) to it like. The route should take route paramteer like /token/{token_id} . The token component gets the token value from the route param and saves in session storage. Before all api calls, the angular interceptor will get the token value from session storage and add as a header

KRISHNA R
  • 41
  • 2