如何在不使用浏览器的情况下从.NET Web服务代码从OKTA获取SAML令牌?
我们有由Kendo UI和后端.NET Web服务构建的混合移动应用程序.来自UI的所有调用都是通过ajax进行的.现在我们需要将应用程序集成到OKTA以进行用户身份验证,但是不确定如何直接从Web服务调用中从OKTA获取SAML令牌.
We have hybrid mobile app built by Kendo UI and backend .NET web service. All the calls from UI is through ajax. Now we need to integrate app to OKTA for user authentication, but not sure how to get SAML token from OKTA directly from web service call.
我们已经通过使用Windows身份框架实现了从Web服务对ADFS(活动端点)的调用,以获取SAML令牌,并且它可以正常工作.
We implemented call to ADFS (active endpoint) from web service to get SAML token by using windows identity framework already and it works.
如果任何人都可以分享经验或提出解决方案,将不胜感激!
If anybody can share experience or point out the solution, it will be much appreciated!
您可以使用以下序列获取SAML断言:
You can use the following sequence to obtain the SAML assertion:
1)您可以使用/api/v1/authn建立获取会话令牌.这将需要用户凭据.示例请求如下所示:
1) You can use /api/v1/authn to establish get a sessiontoken. This will require user credentials. A sample request would look like:
{
"username": "john.doe@foo.com",
"password": "myPa$$word",
"relayState": "/myapp/some/deep/link/i/want/to/return/to",
"options": {
"multiOptionalFactorEnroll": false,
"warnBeforePasswordExpired": false
}
}
Response将返回sessionToken值.
Response will return a sessionToken value.
2)现在使用该值作为输入,您可以使用/api/v1/sessions?additionalFields = cookieToken返回cookieToken
2) Now use that value as input, you can use /api/v1/sessions?additionalFields=cookieToken to return a cookieToken
请求将如下所示:
{
"sessionToken": "1234123DGSABDaSDBasdbaasbdasdb-ABCDEAERasdlzxk"
}
响应将包含cookieToken值
Response will contain a cookieToken value
3)现在,您可以使用将触发SAML的应用程序SSO URL-并在末尾附加一次性cookietoken以获取SAML断言.如果将此URL粘贴到浏览器中,它将实际上使您登录到启用SAML的应用程序.
3) Now you can use the app SSO URL that would trigger SAML - and attach the one-time cookietoken at the end to get the SAML assertion. If you paste this URL in the browser, it will actually log you into the SAML-enabled app.
示例URL为: