Securing a JavaScript Single Page App with SAML

Question

I would like to secure a JavaScript Single Page App with SAML. My server is powered using Node.js and serves a RESTful API. What are my options?

Details: I have worked with OAuth2 in the past, but I am not familiar with SAML concepts. With OAuth2, the JavaScript SPA can go directly at the Identity Provider and get a token. I can send this token to my RESTful server. The server only needs to be able to decode the token and verify that it is coming from a trusted provider.

Does SAML work in a similar way? Is there a simple reference that shows the workflow?
Is there a solution that works with my architecture - JavaScript SPA and Node.js serving a RESTful API?

were you ever able to get this to work? if so can you share your soln? I've asked a similar question here https://stackoverflow.com/q/53603554/358574 — Tom McDonald, Dec 06 '18 at 18:43

score 0 · Answer 1 · answered May 16 '19 at 18:46

For the record: In a typical SAML WebSSO flow the IDP wants to take control of the browser to establish or resume a session with the browser. So this approach needs to be tested if it is compatible with your IDP(s). There is another, less popular flow called ECP (Enhanced Client or Proxy) that should be more suitable.

See also: https://www.codeproject.com/Articles/1248145/How-to-use-SAML-in-an-Angular-JS-Single-Page-Appli

Securing a JavaScript Single Page App with SAML

1 Answers1