I want to use SAML login for a single web application with a REST API. How should I do this? Usually, say with OAuth, lets use Google/Firebase as an example:
Firstly is this correct or did I get something wrong so far?
But with SAML, from what I can see, its user is redirected to SAML IDP, SAML IDP then redirects user to a server assertion URL. Because there is this redirect, how do I use it in the context of REST? I am unfamiliar with SAML, but I dont see a token. The server just gets an "assertion" with the user information?
All clients follow a basic message flow to access the REST API using SAML. Whereas CSM acts as both the service provider and the identity provider in OAuth2 protocol, SAML protocol introduces a third-party identity provider.
SAML was simply not designed for modern application types, such as SPAs and mobile apps. You'll spend time fighting the protocol and still end up with a solution that is cumbersome and has security holes. Instead, we recommend using OpenID Connect in SPAs and mobile applications.
SAML uses a claims-based authentication workflow. First, when a user tries to access a site, the service provider asks the identity provider to authenticate the user. Then, the service provider uses the SAML assertion issued by the identity provider to grant the user access.
Go to Identity Provider -> Click on Add Provider -> Select SAML list from there -> Enter details such as Provider Name, Provider's Entity ID, Provider's SSO URL, Certificate (used for token signing). Go to Service Provider -> Provide Entity Id (that verifies your application).
Here is the sequence of events which happen when the application is using SAML for the authentication:
This is a basic scenario.
See spirng-saml project here, you can try and play with the sample web application. https://projects.spring.io/spring-security-saml
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With