SAML based SSO for a Single page application (angular JS) + ADFS

[Akshay]

Hello!

We are implementing a SAML based SSO using ADFS. We have a single page application(SPA) on the client side implemented using angular 4. And our RESTful API is secured by Pac4j. We are facing a few difficulties with handling the AJAX requests. Here is what we are doing - 

We make an AJAX call to a protected URL. A 401 is returned (because it is the default behaviour of the DefaultAjaxRequestResolver?). When we get a 401 on the client side, we call a protected URL(a controller whose only job is to redirect back to the front end application after authentication) at the window level, which triggers authentication via ADFS.

But the issue is, even after the user is authenticated, for every AJAX call that is made, a 401 is returned.

1) Is this the expected behaviour?

2) If so, what is the alternate solution? I understand that we can specify another behaviour using a custom AjaxRequestResolver. But, I'm not sure how I should go about it.

3) Is there any other way I can solve this problem?

Any help would be greatly appreciated :)

[Jérôme LELEU]

Hi,

After the successful ADFS authentication, the user profile has been saved in the session, but by default web services do not rely on the web session (just the HTTP request, to avoid creating useless sessions).

You can control that by overriding the loadProfilesFromSession method of the DefaultSecurityLogic which is internally used by the SecurityFilter. Maybe we should have a loadProfileFromSession property like the saveProfileInSession property to control that as well.

Tracked here: https://github.com/pac4j/pac4j/issues/1015

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Akshay]

Jérôme, thank you so much for the reply!

 Can you please guide me as to how I might override the loadProfilesFromSession method? When I check the logs, the loadProfilesFromSession method appears to return true. 

Also, I'm not really sure how overriding this method might help solve the problem I have?

Thanks in advance!

[Jérôme LELEU]

Hi,

I meant overriding by creating a new class, but the goal was to return true instead of false, which is already the case.

It's not exactly what I expected. Can you turn on DEBUG logs on org.pac4j and post them?

Thanks.

Best regards,

Jérôme

--

[Akshay]

Thanks again Jerome!

Here are the logs -

[Jérôme LELEU]

Hi,

The login process works as you are authenticated on the https://our-url/rest/user/saml/redirect URL (after_authentication_pac4j_logs), though the second AJAX request fails despite the loadProfilesFromSession: true.

Even stranger, the request just after works. So I assume that there is something wrong with your AJAX request: is the JSESSIONID available on this request? Can you post one of these AJAX requests?

Thanks.

Best regards,

Jérôme

On Mon, Oct 16, 2017 at 6:20 PM, Akshay <akshay.s...@gmail.com> wrote:

Thanks again Jerome!

Here are the logs -

--

[Akshay]

Thank you so much Jerome! You were right, it was indeed a problem with the AJAX requests. I had to set 'withCredentials: true' while sending the AJAX requests, and it solved the problem.

Thank you so much for taking your time out to help me! Really appreciate it!

[rangde...@gmail.com]

Dear Akshay,

We are having requirement to establish SPA with ADFS and SAML 2.0.

Can you please guide me how to set up the infrastructure to access the same?

Thanks and Regards,

Rakesh Kamble

Ph: +91-9220710997

[Phalgun Vaddepalli]

Hi Rakesh,

Even I want to the same information. Did you happen to find it?