Mark_Mathis | 2017-09-15 16:42:16 UTC | #1
Working with a customer who wish to set up an ADFS single sign on. The currently are using a script to pop an internal web url that makes internal API calls. They want to use the original user token that was retrieved from the ADFS and pass this into the screen pop so they can use this token to access the other API calls.
Is the original SSO token stored anywhere that we can retrieve and pass it in using the web URL?
tim.smith | 2017-09-15 16:49:42 UTC | #2
The web page they're popping will need to implement an OAuth flow, such as the SAML2 Bearer OAuth Flow, to get its own token to be able to make API requests. Auth tokens should never be leaked outside of the app the user authorized them for.
Mark_Mathis | 2017-09-15 17:03:16 UTC | #3
To be clear, each time that the screen pop happens it would be necessary to implement an OAuth Flow?
tim.smith | 2017-09-15 17:05:48 UTC | #4
It depends on if the webpage that's getting popped remembers the auth token or not. If it does, then it can keep using it. It it doesn't have an auth token, it will need to have the user authorize it again.
system | 2017-10-16 17:05:16 UTC | #5
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.
This post was migrated from the old Developer Forum.
ref: 1802