SAML auth outside of Mender UI

I’m setting up SAML auth, and I’m trying to figure out how to get the JWT token for communicating with Mender. This is for users who have access to a browser, but aren’t directly logging in using the Mender UI.
We aren’t planning on directly using the Mender UI, we have our own tools for talking to Mender. So, we’re trying to figure out how to connect to Mender once we start using SAML.

After reading through the docs more, I think I can clarify my question. I expect I will need to call GET /auth/sso/{id}/login on the useradm service: Mender API docs

The docs don’t describe how to get the auth information after making this API call. Is the JWT saved as a cookie? How do I make subsequent calls to the API after logging in with my IdP?

Hello :wave:

For programmatic access to the API, we recommend using Personal Access Tokens. This only works for password-based users, so I would suggest creating a password-based user and use this user to issue the access token for your application.

One of the draws of Mender was that the service is API based, so we can replace the Mender UI with our own UI as needed, which is what we did.
If using SAML requires us to make 2 user accounts for every person at the company (SSO for Mender UI access, password for everything else), that defeats the point of SAML, and the feature becomes useless for us.

Ohh, sorry. I think I misunderstood your question. When you login using SAML, the JWT is set in a cookie with the same name (literally “JWT”) when it makes the redirect back to the Mender UI (via the “assertion consumer service” endpoint /auth/sso/{id}/acs).

Thanks for the clarification @alfrunes . So it would look something like this:

  1. Call /auth/sso/id/login
  2. Open redirect to IdP auth in response (?)
  3. Wait for the JWT cookie to show up in the browser (?)
  4. Use the JWT in future requests

Does that look correct? When using SSO login, do I need to set the JWT explicitly in the request header, or is setting the cookie sufficient?

Is there a way to know when the JWT is set? When the redirect happens back to the UI, that post request goes to the useradm service. Are the redirect and the post request 2 different things?

I will give this a try as well, but any pointers are appreciated.

It’s almost correct, the only detail you’re missing is that the redirect goes through the assertion consumer service endpoint (/auth/sso/<id>/acs) before the browser is redirected back to the Mender UI (root).

  1. Open /auth/sso/<id>/login
    • Redirects to your IdP with an SAML Authentication request set in the URL query parameter
  2. User sign in to you IdP
    • Once logged in, the IdP redirects back to the Mender assertion consumer service (ACS) endpoint POST /auth/sso/<id>/acs with a SAML Authentication response.
  3. ACS verifies the SAML response and finds the matching user and redirects the browser back to the root (/) with the JWT cookie set, if the user is authenticated successfully.

You do not need to set the Authorization header explicitly, the Mender server will look for the JWT cookie when using the API.

That POST request is part of the SAML protocol and the useradm API will always redirect back to root. If it fails to verify the response, it will set the error cookie with a short error message instead of JWT. So from the frontend, you only need to check which cookie is present to know if the user has a valid session or not.

2 Likes

Thank you!

1 Like