We have an on premise deployment of CRM and are using ADFS with Secure Token to authenticate users when they hit our web services from javascript. The web services are hosted on a separate server from CRM on a different subdomain.
After a lot of struggles with cross origin security policy, we are finally very close to getting this to work. Our last problem has to do with how the ADFS security policy handles requests to resources on our web server.
If you access the web service directly through the browser URL, it works fine. This is because the request is intercepted by ADFS, authenticated, and then sent what amounts to an HTML page with a form that automatically submits itself to the originally requested URL, and this form submission is what gives the browser session its security token (seen in cookies as FedAuth and FedAuth1).
However, this process fails when a web service is requested through javascript. In our case, to get around the browser's cross origin security policy, we are using JSONP, but even without JSONP, I believe we would have the same problem with XMLHttpRequest.
Instead of receiving pure javascript (JSONP) or SOAP (XMLHttpRequest), the response from the web service is the HTML web form that wants to post back to itself. Javascript that makes a JSONP call is expecting pure javascript in the result, and so fails -- and since it doesn't post back, it never gets the security token.
Some of our pages have iframes that point to web pages hosted on the same server as our web services. We have found that those pages successfully get their security token because the iframe requests the resource, gets the HTML with the form autopostback, performs the postback, gets the security token, and displays the results of the postback. At that point going forward, any web services using JSONP are successful because they now contain the security token.
My question is: how can I get my JSONP web service calls to retrieve the security token before making their call?
