Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there a standard for using SAML tokens with RESTful services?

Tags:

rest

saml

I'm using SAML tokens to authenticate against a set of REST-ful services, by putting the SAML token in the Authorization header.

I can't find anything out there that would suggest that there's a standard way to do this. For example, do I use:

Authorization: Bearer <EncryptedAssertion ...

or:

Authorization: Bearer PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4=

or:

Authorization: SAML PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4=

or something else?

Note that the first one doesn't work if the certificate has multiple name components (because the comma messes up the header parsing).

The fact that I'm using 'Bearer' doesn't say anything about the format of the token.

Apache CXF appears to use the third variant.

Which one is standard? Is there a standard? If not, is there a de-facto standard?

like image 739
Roger Lipscombe Avatar asked Jan 28 '13 17:01

Roger Lipscombe

People also ask

Does SAML work with REST API?

All clients follow a basic message flow to access the REST API using SAML. Whereas CSM acts as both the service provider and the identity provider in OAuth2 protocol, SAML protocol introduces a third-party identity provider.

Does SAML use tokens?

Security Assertions Markup Language (SAML) tokens are XML representations of claims. By default, SAML tokens Windows Communication Foundation (WCF) uses in federated security scenarios are issued tokens. SAML tokens carry statements that are sets of claims made by one entity about another entity.

Can you use both SAML and OAuth?

Can you use both SAML and OAuth? Yes, you can. The Client can get a SAML assertion from the IdP and request the Authorization Server to grant access to the Resource Server. The Authorization Server can then verify the identity of the user and pass back an OAuth token in the HTTP header to access the protected resource.

When should you use SAML or OAuth?

SAML authenticates the user's identity to a service, while OAuth authorizes the user to access specific resources owned by the service provider. Both can be used for single sign-on (SSO), which permits users to access IT resources with only one set of login credentials (e.g., username and password).

1 Answers

The standard for custom auth schemes in HTTP is defined in the RFCs 2617 and 7235.

Authorization: scheme key="value", ...

I doubt there is a standard for your specific case, but I'd say this is acceptable:

Authorization: SAML bearer="PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4="
like image 88
Pedro Werneck Avatar answered Nov 16 '22 02:11

Pedro Werneck
Sign in to Comment

Related questions

Passing in content when generating JasperServer report using the REST API
How to write routing when resource model name does not match path or controller
REST API Design links between collections of resources
Defining a resource assembler for a REST Spring HATEOAS controller
Django calling REST API from models or views? [closed]
Django REST framework: Create/Update object using Related Field
SSL certificate in Advanced REST Client for Chrome
Restful PATCH on collection to update sorting parameter in bulk
How download file using java spark?
Authentification from Android Device against Spring Security Rest API
Spring data-rest: set null value by PATCH request
How to validate URL parameters in Flask app?
Does MailChimp have a sandbox API with dummy data in it for testing? [closed]
How can I send a File over a REST API?
How to selectively inactivate REST endpoints in a Java application?
Java 9 - REST with Spring 5 & Jigsaw - Is it possible?
Validation error messages as JSON in Laravel 5.3 REST
Passing parameters in the message header with a REST API
Request params and PUT method
Is play! Framework 2.0 suitable for creating a REST API?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!