0

I am taking this answer as base for my question because I was nearly there...

I am building a proxy that would convert Okta SAML into our own JWT. Idea is - take SAML token and use it to make our private JWT with claims. The setup is JS UI - .net WEB API - Okta SSO

From .net web API I've successfully connected to Okta and got token using POST payload

{
  "username": "myuser@company.com",
  "password": "mysecret",
  "options": {
    "multiOptionalFactorEnroll": false,
    "warnBeforePasswordExpired": false
  }
}

Then I've retrieved the one-time token (cookie token) from the response using POST on https://SomeCompany.okta.com/api/v1/sessions?additionalFields=cookieToken with payload

{ "sessionToken": "token I retrieved in the step 1" }

And this ^^ gave me the response which contains the cookieToken. And now I used this cookie token to make a GET request to the URL set in my Okta application, which looks like https://SomeCompany.okta.com/app/SomeCompanysso_123/4tg7uknm765on6yhnmk/sso/saml

I added a query parameter so it looks like https://SomeCompany.okta.com/app/SomeCompanysso_123/4tg7uknm765on6yhnmk/sso/saml?onetimetoken=THE_TOKEN_I_GOT_IN_STEP2

And this fetched me the whole SSO HTML page with SAML token in the hidden field SAMLResponse.

Is there a way to get this SAMLResponse cleanly, without need to rip it out of HTML and if not, what is the efficient way to do it?

Thanks

T.S.
  • 18,195
  • 11
  • 58
  • 78
  • Are you aware that SAML works through a user-agent? So how do you expect it to be clean? One other thing I'd recommend is to go not to /sso/saml endpoint, but to embedded URL which is on your SAML app page. It might be bit better for you to process – Philipp Grigoryev Aug 25 '22 at 01:31
  • @PhilippGrigoryev I am not aware of anything, For me, this is R&D. I learn as I go. I know that out guys developed SSO Okta logon via page. In my case there will be no page, This is API-to-API.. Basically SP-initiated... Are you saying, because browser generally is the user agent that sends requests between SSO point and SP, I can only get that page. always? Please elaborate. *"embedded URL...on your SAML app page"* - I don't have any pages. Please elaborate. I have a web api. Thank you – T.S. Aug 25 '22 at 01:41
  • Ask the guys doing Okta administration to give your "embedded URL". It's in Okta App settings. And yes, SAML is not meant to do service-to-service communication. SAML or other SSO mechs are done to propagate user identity, where is here you don't have any. For your use case API token or other mechanisms look better. You never mentioned why you do all these tricks. What is the end goal? – Philipp Grigoryev Aug 25 '22 at 13:01
  • @PhilippGrigoryev We want to abstract all authentication schemes via our own proxy and isolate from different apps we have. Our different apps will use this proxy to logon while we can change the SSO provider at any time without affecting actual applications. Now, it will convert SAML into our own JWT scheme – T.S. Aug 25 '22 at 13:39
  • Were you able to figure out how can we do this cleanly without parsing the HTML response. I am working on a product in which I have to do the same things hence looking for cleaner ways. – Prateek Jun 20 '23 at 23:15
  • @Prateek yea, fairly clean way, including the answer below `if (TryRetrieveSessionToken(out string sessionToken)) if (TryRetrieveCookieToken(sessionToken, out string cookieToken)) if (TryRetrieveSamlToken(cookieToken, out string samlTokenEncoded))` – T.S. Jun 21 '23 at 02:15
  • @T.S. ,Thank you for your response, can you please share the specific API Calls, I can see multiple API's to get the cookie Token from the session Token. Same for TryRetrieveSamlToken as well – Prateek Jun 22 '23 at 16:57
  • @Prateek I am not allowed to publish company code. This is intellectual property I developed on company property using company time. I gave you the list of calls you need to make ^^. And the answer with the detail is below – T.S. Jun 26 '23 at 12:32

1 Answers1

0

Based on the question, this is the answer to the last part for the obtaining of SAML token cleanly. We retrieve the HTML Document, load it into the c# instance and take the SAML token node for further processing.

// token comes in the controle with this name
private const string _samlTokenFormControlName = "SAMLResponse";

// here response content 'string responseContent' is HTML page
var htmlDoc = new HtmlDocument();
try
{
    htmlDoc.LoadHtml(responseContent);
    HtmlNodeCollection nodes =
    htmlDoc.DocumentNode.SelectNodes($"//input[@name='{_samlTokenFormControlName}']");
    if (nodes.Count > 0)
    {
        samlToken = nodes[0].GetAttributeValue("value", null);
        if (samlToken != null)
            retVal = true;
        }
}
catch
{}

return retVal; // gets me clean SAML token

After this I decode this token and retrieve Claims out of it using Microsoft.IdentityModel.Tokens.Saml2.

T.S.
  • 18,195
  • 11
  • 58
  • 78