2

I have a .NET Core application consisting of a web front-end written as a single page app in React JS and backed by a .NET Core API services app to supply it's data. They're deployed as separate applications in IIS so the urls are like this.

https://example.com/FooBar
https://example.com/FooBarAPI

I've been tasked with integrating the FooBar site with our corporate SSO which uses SAML and authenticates against ADFS. They've provided me with a metadata xml file from ADFS that as I understand it this metadata contains all the details I need to put in my web.config to get this working. I've found some good examples on stackoverflow for getting the FooBar site protected from unauthorized access and working with SSO.

But what about the API app that the javascript needs to call? How does that piece of the puzzle fit? How does the API know that the JS client is part of the same app/user and that they are authenticated to make requests for data?

Improve this question

1 Answer 1

Reset to default
3

How does the API know that the JS client is part of the same app/user and that they are authenticated to make requests for data?

Client registration identifies the JS client. The implicit flow and its resultant id_token identifies the end-user.

These are the very high level steps:

  1. Register the JS client (the public client).
  2. From the JS client, use the ADFS implicit flow to fetch an end-user id_token.
  3. From the JS client, call your API with the id_token.

This documentation appears to match your use case reasonably well and provides a high level overview:

...when the user signs in, the JavaScript front end uses Active Directory Authentication Library for JavaScript (ADAL.JS) and the implicit authorization grant to obtain an ID token (id_token) from Azure AD. The token is cached and the client attaches it to the request as the bearer token when making calls to its Web API back end, which is secured using the OWIN middleware.

enter image description here

If I were in your shoes, I would first make the demo application from that documentation work with my ADFS tenant. Then, I would translate its setup to my React/ASP.NET Core app.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.