Need help to integrate SSO with SAML for one of the applications through Chrome extension
53 views
Skip to first unread message
Het Patel
Nov 27, 2025, 4:56:59 AM (2 days ago) Nov 27
to Chromium Extensions
Hi everyone,
I have one application which supports SSO login by SAML only. I want to create Chrome extension for that and want to give users option to login to that application using SSO from extension in order to use some of the APIs of the application. Currently flow of API calls is as follow if you access application from normal web page:
1. Once you click login with SSO it calls `application_host/ssologin` endpoint which redirects to SSO provider's page.
2. User can login to IDP(SSO provider) and then it will send the SAML response which contains the application's redirection URL which in our case is `application_host/acs`, which will be called by the SSO provider's front-end(inside the browser).
3. ACS endpoint now redirects to `application_host/login?saml_token=TOKEN` and it logs in the user.
Now, I would like to provide the same login with SSO button in my extension. I will take the application_host from user(this is most likely going to be internally hosted application) and my aim is to receive the saml_token as from there I can call another API of the application using that to get the API token.
Current challenge is that chrome.identity.launchWebAuthFlow will only give me redirect URL if it is matching `https://<app-id>.chromiumapp.org/*`, which won't be case in my application as it will redirect finally to `application_host/login?saml_token=TOKEN`.
Can someone provide some insight on what approach can I take that I can actually provide this feature?
Thanks!
I have one application which supports SSO login by SAML only. I want to create Chrome extension for that and want to give users option to login to that application using SSO from extension in order to use some of the APIs of the application. Currently flow of API calls is as follow if you access application from normal web page:
1. Once you click login with SSO it calls `application_host/ssologin` endpoint which redirects to SSO provider's page.
2. User can login to IDP(SSO provider) and then it will send the SAML response which contains the application's redirection URL which in our case is `application_host/acs`, which will be called by the SSO provider's front-end(inside the browser).
3. ACS endpoint now redirects to `application_host/login?saml_token=TOKEN` and it logs in the user.
Now, I would like to provide the same login with SSO button in my extension. I will take the application_host from user(this is most likely going to be internally hosted application) and my aim is to receive the saml_token as from there I can call another API of the application using that to get the API token.
Current challenge is that chrome.identity.launchWebAuthFlow will only give me redirect URL if it is matching `https://<app-id>.chromiumapp.org/*`, which won't be case in my application as it will redirect finally to `application_host/login?saml_token=TOKEN`.
Can someone provide some insight on what approach can I take that I can actually provide this feature?
Thanks!
Disclaimer:
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Crest Data Systems immediately and destroy all copies of this message and any attachments.
Oliver Dunk
Nov 27, 2025, 6:45:52 AM (2 days ago) Nov 27
to Het Patel, Chromium Extensions
Hi Het,
I must confess, I haven't worked with SAML as much as I would like to. But I think I can give answering this a try...
Presumably you are in control of application_host, right? If so, could you update it to redirect to `https://<app-id>.chromiumapp.org/*` in this instance? If necessary you could set some cookies or local data when `application_host/ssologin` is reached to track that you are doing authentication for a Chrome Extension and what the ID is. Then, when the user returns, you can have some special additional behavior compared to signing in on the web.
If making changes to application_host is infeasible, you might want to look at approaches other than using `chrome.identity.launchWebAuthFlow`. These would require host permissions for application_host. But you would then be able to (for example) detect in a content script when application_host/login?saml_token=TOKEN is reached and send a message to the background script in your extension.
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/2596f1c5-dda6-4139-8a47-666521287b25n%40chromium.org.
Het Patel
Nov 28, 2025, 1:24:41 AM (yesterday) Nov 28
to Chromium Extensions, Oliver Dunk, Chromium Extensions, Het Patel
Thanks Oliver for response.
Unfortunately, changing the application_host's backend code is currently out of scope. So, we are not able to use the SAML for SSO login as of now from chrome extension. Dynamic redirect is short of a limitation of SAML and combining it with chrome extension's restrictions about authFlow makes it sort of impossible to implement.
I am reverting this for anyone else referring this later for solution:
Unfortunately, changing the application_host's backend code is currently out of scope. So, we are not able to use the SAML for SSO login as of now from chrome extension. Dynamic redirect is short of a limitation of SAML and combining it with chrome extension's restrictions about authFlow makes it sort of impossible to implement.
I am reverting this for anyone else referring this later for solution:
- You can't provide SSO with SAML from extension without risking security(Even with changes to the backend)
- You can utilise something similar to what okta's browser extension does, which basically uses the same login session from web browser itself using cookies.
Oliver Dunk
Nov 28, 2025, 6:33:30 AM (yesterday) Nov 28
to Het Patel, Chromium Extensions
Hi Het,
Based on my understanding of the use case, I wouldn't agree that this is impossible to do safely from a Chrome Extension.
I would certainly advise against collecting authentication cookies where possible and encourage anyone else with the same use case to look into the content scripts approach I suggested.
Best of luck with your extension though :)
Reply all
Reply to author
Forward
0 new messages