I'm trying to configure Shibboleth Service Provider for two sites on one IIS instance:
- Frontend with static HTML - just SPA - for example site.com
- Backend with API - just REST - for example site-api.com
So, when I'm opening the first entry point I have 302 response with a redirect to IdP, after entering credentials - redirect to site.com/Shibboleth.sso/SAML2/POST and all is working fine.
My SPA is running in browser and making an AJAX request to site-api.com. And here is a problem because I have 302 response with a redirect to IdP again. In case if a browser is making request I don't have any problems, because redirect to IdP browser processing automatically. And again after authentication by session cookie on IdP it redirects to site-api.com/Shibboleth.sso/SAML2/POST.
How can I share a session between two sites? Is it possible to not have redirect after the first request to site-api.com in case if user has already been authenticated on site.com.
I have used for second site:
<ApplicationOverride id="site-api" entityID="https://site-api.com/shibboleth" />
Also, I registered ISAPI and RequestMap for site-api.com. Technically it's working as for site.com.
I guess I can share the session somehow by using attribute in XML config file, but nothing works for me. Please help. :)
Using an ApplicationOverride in Shibboleth SP invokes the secondary application as a separate service, i.e. you've established that that entityID is unique. In the case of a secondary API, I wouldn't protect it with Shibboleth, i.e. why protect it with the Shibboleth SP (which is built for ensuring authentication occurs against an IdP) if you're making RESTful calls from a site that's already authenticated. I think you need to re-think your authentication workflow... a more reasonable idea:
(1) Obtain session for site.com from the IdP using SAML/Shibboleth,
(2) Generate an application session based upon the SP session (review Sessions in the SAML flow, there's actually several, not just an SP session). Not to mention that Shibboleth is built for Authentication, not Authorization.
(3) Make a REST API call based on whatever API security mechanism you want... i.e. you could build a JWT based on the SAML assertion data and verify it's valid at the API endpoint because you know the certs.
The SAML web flow isn't really built for APIs like you're attempting to use it here... the 302 that you're trying to get rid of, that's a MUST in a SAML workflow.