0

High-level summary

My goal is to do a POST call from my code to submit a request through a web server that requires Shibboleth authentication.

At the moment I am fine to just collect the BASE64 SAML Request value manually, and then authenticate as explained below. I can achieve this, but I can't understand what I should do after authenticating, to finalize my POST call.

Details

When I open the web form on this server, I am redirected to a shibboleth IDP where I insert my username and password, then I add the SMS received, and I am in.

After I am authenticated, I fill this webform that correctly returns a result based on the account I am authenticated with. The source code of this web page makes a simple POST call with a couple of parameters, where the web server is the same, something like

https://www.mywebserver.org:443/web/area/find-product

Now I need to submit the same form from my code, using a POST call directly, with the same parameters.

However, when I call that page using a POST call with the same parameters, I receive the HTML source code of a web page which starts with

<html>

<head>
    <title>Shibboleth Authentication Request</title>
</head>

<body onload="document.forms[0].submit()">

    <h1>Shibboleth Authentication Request</h1>

    <script type="text/javascript">
        <!--    
        document.write("<p>You are automatically being redirected to the authentication service. ");
        document.write("If the browser appears to be hung up after 15-20 seconds, try reloading ");
        document.write("the page before contacting the technical support staff in charge of the ");
        document.write("authentication service you are trying to access.</p>");
        document.write("<h2>Redirecting...</h2>");
        // 
        -->
    </script>

    <noscript>
        <p>
            <strong>Note:</strong> Since your browser does not support JavaScript, you must press the
            Continue button once to proceed to the authentication service.
        </p>
    </noscript>

    <form method="POST" action="https&#58;//idpcwrapper.crs.*****.it/PublisherMetadata/SSOService">

        <input type="hidden" name="RelayState" value="https&#58;//www.****.***.***.it/web/**/**-**"/>

        <input type="hidden" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5h
bWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNl
cnZpY2VVUkw9Imh0dHBzOi8vd3d3LmZhc2NpY29sb3Nhbml0YXJpby5yZWdp
b25lLmxvbWJhcmRpYS5pdC9jaXR0LXNzYy9wcml2YXRlL1NoaWJib2xldGgu

If I save and run this page using my browser, I'm redirected to the same IDP where I can authenticate as usual.

Now I'm not very familiar with this topic, but since I need to complete my initial POST request to read the answer from code, I suppose I need to "capture" the authentication token and insert in my POST request, is that correct? And how could I do this?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Mauro Minella
  • 91
  • 2
  • 10

0 Answers0