Making Ajax play with Passive ADFS 2.1 (and 2.0) – JSONP & Pre-Authentication

The first post, described the issue of using ADFS and Ajax to create SSO between a WebApp and a WebAPI.
This solution looks at using JSONP and pre-authentication to achieve SSO between sites on different domains.

Solution Overview

We add a html page (or handler) to the WebAPI solution.
Whenever we make a call to the WebAPI we first load the html page in an iFrame, this iFrame call handles all the ADFS redirects and sets the session cookies for the WebAPI.
These session cookies are then sent (automatically) with the next JSONP call to the server.

Caveats

  • Like all the solutions, this expects that the user has authenticated with ADFS via the WebAPP. When the iFrame hits the WebAPI pre-auth html page and the request gets redirected to ADFS if the user already has a session (that is compatible with the WebAPI relying party) a token will be issued without further authentication.
Advertisements
Tagged , , , ,

6 thoughts on “Making Ajax play with Passive ADFS 2.1 (and 2.0) – JSONP & Pre-Authentication

  1. Bill Faulk says:

    Is there some particular content in preauth.html? For some reason the file I created doesn’t even require authentication so doesn’t do anything for the issue. If I just open up a browser and use the url to the preauth.html file I don’t even get prompted for credentials.

  2. adammills says:

    .html files are not being protected then. Either rectify that, or use a server side extension that your system is using like .aspx

    • Bill Faulk says:

      But why aren’t .html files being protected? Shouldn’t they be? Is there some configuration option that changes this?

      Actually, I tried this with a preauth.aspx and I see it getting authenticated but looking at the results of my ajax call in fiddler I still see “Script is disabled. Click Submit to continue”.

  3. Bill Faulk says:

    I figured out the main issue. Putting the preauthentication in an iFrame didn’t work, I had to put it in a new (small) window. This may be something in later versions of browsers perhaps? I’ve been seeing those little windows pop up various places where I have authenticated sites communicating back and forth and I suppose this might be why.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: