My brain is about to explode from a lack of understanding of SSO/SAML. Im currently working on a project whereby we are implementing a SSO identity provider using shibboleth.

We have SSO up and running and are able to authenticate via one app and navigate to the other unchallanged. Now, the next requirment is to have App A return a page that makes an Ajax call to App B without challange.

Now as we have things setup to work front channel (via browser redirects) then when we make the Ajax call to App A then we get a 301 response, and the redirects between SP/IdP begin, which Ajax obviously doesn't follow.

If on the other hand we make an Ajax call from App A to App A then it sends through it's local session Id and has no need to send a redirect to communicate with the IdP.

Now, if I manually navigate to App B via the browser and allow all the redirects to occur (and hence retrieve a local session cookie for App B too). Then I still cannot make Ajax requests from the response of App A. The reason for this is obviously that the browser will not send through the cookie info for App B as we are hitting a page on App A's domain.

So my questions are as follows:

• If App A and App B are sibling sub domains, can we somehow get the browser to pass through all required session cookies?

• I gather that this sort of Sp/IdP communication can occur via a back channel as aposed to the redirects that are occuring via the browser. What I don't understand is how this is possible :-). If I log in via App A then the IdP adds it's own session cookie, so it doesn't have to reauthenticate me when the redirects occur after visiting App B. But, if this was't done via redirects then when I visit App B, what can it send to the IdP to authenticate me, as my browser doesn't pass the IdP's cookie to App B in the first place.

Note:

Im sorry if this isn't too clear, I really can't explain this very well right now. Maybe it's better that I explain what I need to achieve.

• Hit an application and Sign in using SSO
• The application I signed into is a portal type app with a bunch of ajax widgets on it.
• Each widgit makes Ajax calls to other apps, which are also secured by SSO

Any ideas? Cheers, Chris.

Though this depends on the systems you are using, let me give you an idea. Use a token (e.g. JWT-Json Web Token) and use it as secondary authentication method (linking the token to the "user"). This token can be generated on your server once the "user" has been authenticated through the SSO. Then pass the token to the browser and use it on each request.

Now, what about the redirects? From what I understood, you are using two SP (service providers), one per each "sub domain". If so, a request from website A to website B (despite CORS and other config) could be authenticated using the token (you may add this authentication method so that if a token is present, no other authentication is required - the request passed the security layer).

Now, despite that idea, regarding the redirects and keeping the session, the IdP/SP interaction provides an "identity" but once your server receives it (on the SP), you may set your session (which can be done for example through a cookie, ...), validate permissions, roles, etc. Then, the problem isn't about the IdP/SP interaction but the session validation. Here is where the usage of a token may be a good idea because you want to avoid cookie management through JS (insecure).

I hope this helps you to understand the process so that you can find other ideas by reducing the complexity of the whole.