Forums, Documentation & Knowledge Base - ComponentSpace

SSOOptions for InitiateSSO - suppress basic AUTH popup with request URL


https://www.componentspace.com/Forums/Topic11602.aspx

By mlam - 6/7/2021

Hi

We used to suppress basic auth popup (SP-initiated) with request URL looking like this:


    // Ensure the SAML configuration is loaded.
    SAMLController.Initialize();
   
    var singleSignOnServiceUrl = "https://username:password@idp.example.com/"; 

    SSOOptions sSOOptions = new SSOOptions();
    sSOOptions.RequestedUserName = uid;

    SAMLServiceProvider.InitiateSSO(Response, stateRelay, returnUrl, sSOOptions, null, singleSignOnServiceUrl);


This option is deprecated. And it is not secure. They suggest using the credentials in the Authorization header instead. But, all details are going to the handler by InitiateSSO. May I know how to achieve this?

By ComponentSpace - 6/7/2021

The SAML specification doesn't support a mechanism for passing a password from the SP to the IdP. It does support passing an optional user name (ie the ssoOptions.RequestedUserName) but not all IdPs support this.

If you were to somehow pass the user's password to the IdP, this would have to be a proprietary mechanism and you would need to think very carefully about the security implications. It's not something we recommend doing and I'm surprised it's supported by the IdP.