Reputation: 4026
SAML / OAUTH redirect URL clarification
I am working on a SSO application with SAML / OAuth and I am not sure if i understand the meaning of the redirect/callback url at all. So lets take SAML as an example.
I have a typical SAML config:
IDPLoginURL : "https://myidp/login",
Issuer: "myhost",
RedirectURL: ?
Certificate: "MII....."
I always see the diagrams and descriptions where the redirect url points to the resource server or the service provider. But i have different endpoints on a service, now i am confused.
I have endpoints on myhost for resources which need a saml token for access:
GET myhost/service1
GET myhost/service2
Wouldn't i need two different redirect URLs now?
I am using: https://github.com/steffow/meteor-accounts-saml
Can someone give me a bit clarification here.
Upvotes: 1
Views: 1992
Answers (1)
Reputation: 57688
The redirect URL is used as a way for your application to receive the outcome of the authentication process. Your application delegates this authentication to a third-party and then the result is communicated by invoking your configured redirect URL.
How to handle this redirect is application specific, for example, a regular server-side Web application could initiate a login session upon receiving confirmation that the user logged in. Usually, this session would be created by issuing a session cookie based on the information the identity provider (using SAML, OpenID Connect or event OAuth 2.0) sent. The following requests would send the created cookie and the application would authorize those requests purely based on it with no involvement of the identity provider.
In your scenario, it seems you have a Web API that requires access tokens to grant access and then I imagine there will be one or more client application that want to call the endpoints exposed by this API. This would be an textbook OAuth 2.0 scenario, where the redirect URL would be of the client application wanting to access your API. As soon as the redirect URI is called, the application would store the access token so it could then call each endpoint separately, but always using the same token.
Your confusion probably comes from the fact that you might checked some diagrams that were not aimed at your exact scenario. Assuming, the scenario of an application wanting to call into a protected API, you can check this diagram:
(source: SPA + API Scenario)
In this case the redirect URL would be one for the SPA app and it would be called as part of the interaction leaving Auth0 (identity provider/authorization server) and going to the SPA application.
Upvotes: 2
Related Questions
- HTTP-Redirect Binding SAML Request
- OAuth and SSO capability
- SAML SSO how does it work?
- Spring OAuth redirect URL confusion
- Question on OpenID Connect, Saml and OAuth
- SAML SP Login - How does Localhost address get resolved
- SAML redirection
- Is this a correct representation of how SAML authentication with OneLogin is meant to work
- Questions about SAML, OAuth
- OAuth Redirect URL