My brain is about to explode due to a lack of understanding of SSO / SAML. I am currently working on a project in which we are implementing a single sign-on identifier provider using shibboleth.
We have SSO and it works, and they can authenticate through one application and move to another without changes. Now the next requirement is for application A to return a page that makes an Ajax call to application B without too much.
Now that we have the settings for the front channel to work (via browser redirection), then when we call Ajax in application A, we get the answer 301, and redirects between SP / IdP begin, which Ajax obviously does not follow.
If, on the other hand, we make an Ajax call from application A to application A, then it sends a local session identifier through it and does not need to send a redirect to communicate with IdP.
Now, if I manually go to application B through the browser and allow all redirects (and therefore also get a local cookie for application B). Then I still cannot make Ajax requests from the response of App A. The reason for this is that the browser will not send cookie information for application B, since we click on the page in the domain of App A.
So my questions are:
If App A and App B are child domains, can we somehow force the browser to pass all the necessary session cookies?
I understand that such a connection between Sp / IdP can occur through the return channel, as in the case of redirects that occur through the browser. I do not understand how this is possible :-). If I log in through application A, then IdP adds its own session cookie, so it should not re-check me when redirects occur after visiting application B. But if this was not done through redirects, then when I am in application B that it can send IdP to authenticate me, since my browser does not send the IdP cookie to app B in the first place.
Note:
I'm sorry if this is not too clear, I really cannot explain it very well right now. Maybe I better explain what I need to achieve.
- Click the app and log in using SSO
- The application I signed up for is a portal type application with a bunch of ajax widgets on it.
- Each widgit makes Ajax calls to other applications that are also protected by SSO
Any ideas? Hi Chris.
source share