How to submit a shibboleth-protected WEB page from code using a POST call

Question

High-level summary

My goal is to do a POST call from my code to submit a request through a web server that requires Shibboleth authentication.

At the moment I am fine to just collect the BASE64 SAML Request value manually, and then authenticate as explained below. I can achieve this, but I can't understand what I should do after authenticating, to finalize my POST call.

Details

When I open the web form on this server, I am redirected to a shibboleth IDP where I insert my username and password, then I add the SMS received, and I am in.

After I am authenticated, I fill this webform that correctly returns a result based on the account I am authenticated with. The source code of this web page makes a simple POST call with a couple of parameters, where the web server is the same, something like

https://www.mywebserver.org:443/web/area/find-product 

Now I need to submit the same form from my code, using a POST call directly, with the same parameters.

However, when I call that page using a POST call with the same parameters, I receive the HTML source code of a web page which starts with

<html>

<head>
    <title>Shibboleth Authentication Request</title>
</head>

<body onload="document.forms[0].submit()">

    <h1>Shibboleth Authentication Request</h1>

    <script type="text/javascript">
        <!--    
        document.write("<p>You are automatically being redirected to the authentication service. ");
        document.write("If the browser appears to be hung up after 15-20 seconds, try reloading ");
        document.write("the page before contacting the technical support staff in charge of the ");
        document.write("authentication service you are trying to access.</p>");
        document.write("<h2>Redirecting...</h2>");
        // 
        -->
    </script>

    <noscript>
        <p>
            <strong>Note:</strong> Since your browser does not support JavaScript, you must press the
            Continue button once to proceed to the authentication service.
        </p>
    </noscript>

    <form method="POST" action="https&#58;//idpcwrapper.crs.*****.it/PublisherMetadata/SSOService">

        <input type="hidden" name="RelayState" value="https&#58;//www.****.***.***.it/web/**/**-**"/>

        <input type="hidden" name="SAMLRequest" value="PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5h
bWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNl
cnZpY2VVUkw9Imh0dHBzOi8vd3d3LmZhc2NpY29sb3Nhbml0YXJpby5yZWdp
b25lLmxvbWJhcmRpYS5pdC9jaXR0LXNzYy9wcml2YXRlL1NoaWJib2xldGgu

If I save and run this page using my browser, I'm redirected to the same IDP where I can authenticate as usual.

Now I'm not very familiar with this topic, but since I need to complete my initial POST request to read the answer from code, I suppose I need to "capture" the authentication token and insert in my POST request, is that correct? And how could I do this?

Answer 1

It is helpful to refer to SWITCHaai's expert demo on Shibboleth for a complete step-by-step guide on SAML/Shibboleth. However, I am a university student and my university's website also uses Shibboleth, but I noticed that its logic does not entirely match what is described in the demo, so you might have to make adjustments accordingly.

According to the demo, you are currently on Step 5 (this step, for example, does not exist on my university's implementation), where you are being redirected to the part to fill out the username and password. In this step, you simply submit the form in the response as-is, and then you should be redirected to the actual login form. This is due to that on Step 4, you have made an authentication request with the service provider (SP), whom redirects you to make a POST request to the identitity provider (IdP) with a form already filled out for you with SAMLRequest and other things. When using the browser, a piece of JavaScript on the webpage would be executed to redirect you automatically, however, as you are probably not executing JavaScript in your code, this process has to be done manually.

Following the redirection on Step 6, you will eventually land on Step 7 of the demo, where you are to fill out the actual username, password, and maybe also complete the third-factor authentication.

After posting the credentials on Step 7, you are to forward a filled-out form on Step 8 back to the assertion consumer service of the SP. Similar to Step 5, you just submit the form manually without changes.

Finally, you should be redirected to the original web form you are looking for on the SP, with a cookie beginning with _shibsession identifying your user session.

You can also refer to my answer to Logging into SAML/Shibboleth authenticated server using python, or other answers under that question, for more details. Note that my answer does not include the manual form submission on Step 5, but it should be easy to deal with anyways.