Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a standard for using SAML tokens with RESTful services?

Tags:

rest

saml

I'm using SAML tokens to authenticate against a set of REST-ful services, by putting the SAML token in the Authorization header.

I can't find anything out there that would suggest that there's a standard way to do this. For example, do I use:

Authorization: Bearer <EncryptedAssertion ...

or:

Authorization: Bearer PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4=

or:

Authorization: SAML PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4=

or something else?

Note that the first one doesn't work if the certificate has multiple name components (because the comma messes up the header parsing).

The fact that I'm using 'Bearer' doesn't say anything about the format of the token.

Apache CXF appears to use the third variant.

Which one is standard? Is there a standard? If not, is there a de-facto standard?

like image 739
Roger Lipscombe Avatar asked Jan 28 '13 17:01

Roger Lipscombe


People also ask

Does SAML work with REST API?

All clients follow a basic message flow to access the REST API using SAML. Whereas CSM acts as both the service provider and the identity provider in OAuth2 protocol, SAML protocol introduces a third-party identity provider.

Does SAML use tokens?

Security Assertions Markup Language (SAML) tokens are XML representations of claims. By default, SAML tokens Windows Communication Foundation (WCF) uses in federated security scenarios are issued tokens. SAML tokens carry statements that are sets of claims made by one entity about another entity.

Can you use both SAML and OAuth?

Can you use both SAML and OAuth? Yes, you can. The Client can get a SAML assertion from the IdP and request the Authorization Server to grant access to the Resource Server. The Authorization Server can then verify the identity of the user and pass back an OAuth token in the HTTP header to access the protected resource.

When should you use SAML or OAuth?

SAML authenticates the user's identity to a service, while OAuth authorizes the user to access specific resources owned by the service provider. Both can be used for single sign-on (SSO), which permits users to access IT resources with only one set of login credentials (e.g., username and password).


1 Answers

The standard for custom auth schemes in HTTP is defined in the RFCs 2617 and 7235.

Authorization: scheme key="value", ...

I doubt there is a standard for your specific case, but I'd say this is acceptable:

Authorization: SAML bearer="PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4="
like image 88
Pedro Werneck Avatar answered Nov 16 '22 02:11

Pedro Werneck