I'm using SAML tokens to authenticate against a set of REST-ful services, by putting the SAML token in the Authorization
header.
I can't find anything out there that would suggest that there's a standard way to do this. For example, do I use:
Authorization: Bearer <EncryptedAssertion ...
or:
Authorization: Bearer PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4=
or:
Authorization: SAML PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4=
or something else?
Note that the first one doesn't work if the certificate has multiple name components (because the comma messes up the header parsing).
The fact that I'm using 'Bearer' doesn't say anything about the format of the token.
Apache CXF appears to use the third variant.
Which one is standard? Is there a standard? If not, is there a de-facto standard?
All clients follow a basic message flow to access the REST API using SAML. Whereas CSM acts as both the service provider and the identity provider in OAuth2 protocol, SAML protocol introduces a third-party identity provider.
Security Assertions Markup Language (SAML) tokens are XML representations of claims. By default, SAML tokens Windows Communication Foundation (WCF) uses in federated security scenarios are issued tokens. SAML tokens carry statements that are sets of claims made by one entity about another entity.
Can you use both SAML and OAuth? Yes, you can. The Client can get a SAML assertion from the IdP and request the Authorization Server to grant access to the Resource Server. The Authorization Server can then verify the identity of the user and pass back an OAuth token in the HTTP header to access the protected resource.
SAML authenticates the user's identity to a service, while OAuth authorizes the user to access specific resources owned by the service provider. Both can be used for single sign-on (SSO), which permits users to access IT resources with only one set of login credentials (e.g., username and password).
The standard for custom auth schemes in HTTP is defined in the RFCs 2617 and 7235.
Authorization: scheme key="value", ...
I doubt there is a standard for your specific case, but I'd say this is acceptable:
Authorization: SAML bearer="PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4="
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With