Layer 7 Access Management

Expand all | Collapse all

Authenticating a fat-client application in SAML by re-using the Windows Desktop sign in

  • 1.  Authenticating a fat-client application in SAML by re-using the Windows Desktop sign in

    Posted 02-15-2017 01:05 PM

    Our product is a fat-client Windows executable running in Windows 7 or Windows 10 desktop.  This fat-client talks to an application server via Web Services.  The application server is protected by Siteminder.  Customers wish to use SAML as the authentication protocol.  This works fine for Web browsers that build in the redirection and SAML support, but is problematic for a fat-client executable. 

     

    The user sessions within the Windows 7 and 10 desktop operating system are already authenticated via SAML and Siteminder.  Is there a way we can piggy back on this authentication?  For instance, if our Web Service request comes in to Siteminder from the SC with a Windows header, can we have a Siteminder rule that will strip the authentication information from this Windows request header and inject it into the header of our Web Service request? 

     

    The idea is to do this before touching the application server and avoiding any prompt for SAML authentication.  Alternately, is there any other way of leveraging the Windows Security Context for sites using SAML?



  • 2.  Re: Authenticating a fat-client application in SAML by re-using the Windows Desktop sign in

     
    Posted 02-24-2017 11:36 AM

    If your fat client can access your SMSESSION cookie (make persistent, possibly), then it could use the SMSESSION in the web service request as a normal cookie.

    I have seen instances where a web browser application was launched within a fat client to perform Windows-SM authentication and then capture / cache the cookie.

     

    Hope that helps