ADFS/SAML authentication for Java desktop app

Question

I have a Java desktop app. I found a lot of online resources that talk about SSO authentication for web apps. I need the same thing for an old school desktop app. Basically, I need the app to open a browser window, have the user authenticate against ADFS and then get a token back.

How can I add SSO authentication with ADFS/SAML?

Answer 1

I found the answer.

1. First, the desktop app needs to show a browser window. This can easily be achieved using JavaFX WebView. I have successfully tested Google and ADFS login using JavaFX WebView. NB: If you use ADFS you must set up ADFS to use Form-based auth.
2. A helper webservice needs to be built. The webservice will provide a method secured by any federated authentication mechanism (SAML2, OAuth, etc). I haven't been able to do this in Java. There are some solutions like JOSSO but they're ridiculously cumbersome or severely lacking. However, C# has outstanding support for federated auth which makes it an excellent choice for this task.
3. When the user needs to authenticate, the desktop app shows the browser window which automatically calls the method above. After the federated auth handshake, the browser will be able to access the method. This method tells the desktop app whether the calling user is allowed access.
4. The final step is to close the browser window and log in the user.

NB: This is not an easy task. It takes about a week's worth of work to put everything together.

Answer 2

Desktop apps. don't have browsers.

WS-Fed and SAML are built around browser redirects.

Why do you need SAML? What about OpenID Connect / OAuth?

If that's an option have a look at the ADAL Java samples - Azure Active Directory Authentication Libraries. There is limited OAuth support in ADFS. V3.0

Your other alternative is to use the active profile (web services) rather than the passive (browser).

But that's WS-Trust not SAML.