Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

REST API authentication with SAML

Tags:

java

rest

session

saml

saml-2.0

I'm struggling to design a SAML2.0 authentication for a REST API using a gateway. REST is used between my backend and my application. I'm using Java Servlet filter and Spring.

I see two possibilities:

  1. Adding the SAML tokens into the header each time.

  2. Authenticate once with SAML, then using a session or similar (secure conversation) between the client and the gateway.

Case 1: It's a good solution because we are still RESTful but:

  • SAML tokens are quite big. It's may generated problem due to big header size.
  • Replaying tokens is not the best way for security concern.

Case 2: It's no more stateless and I have to managed a link with the client. Since I use a gateway, the underlying services can still be RESTful.

Case 2 looks for the better choice despite the fact that it does not follow the rest constraints.

Is someone had already to do it and give me some pointers (for design or implementation)?

Is there a better way to do it with SAML?

Any help or advice are welcome.

like image 577
Nereis Avatar asked Oct 18 '13 09:10

Nereis

People also ask

Does SAML work with REST API?

All clients follow a basic message flow to access the REST API using SAML. Whereas CSM acts as both the service provider and the identity provider in OAuth2 protocol, SAML protocol introduces a third-party identity provider.

Can you use OAuth and SAML together?

Can you use both SAML and OAuth? Yes, you can. The Client can get a SAML assertion from the IdP and request the Authorization Server to grant access to the Resource Server. The Authorization Server can then verify the identity of the user and pass back an OAuth token in the HTTP header to access the protected resource.

Can I use SAML for authorization?

SAML is a protocol that can be used for exchange of any information, including authorization-related "stuff". For example, in a very simple role-based access control scenario a SAML assertion issued by the identity provider can contain user's roles represented as attributes (or a single multi-valued attribute).

1 Answers

It is still draft, but: the OAuth2 SAML bearer profile may a possible solution. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-17

Use a SAML2 to authenticate to an OAuth2 provider, then call your service with the OAuth2 token.

like image 178
Zelgada Avatar answered Sep 28 '22 13:09

Zelgada
Sign in to Comment

Related questions

Java generics and typecasting
Send notification to all the devices connected to a Wi-Fi network
Can I precompile the format string in String.format? (Or do any other thing to make formatting logs faster?)
Upload file stop with Unexpected EOF read on the socket Exception
Tomcat takes too much time to start - Java SecureRandom
AutoIncrement Id PostgreSQL and Spring Boot Data JPA
How do I get the User ID Token from a Credential object?
Android Studio not showing java class source
Java obfuscation - ProGuard/yGuard/other? [closed]
Android API for detecting new media from inbuilt camera & mic
How do I configure JUnit Ant task to only produce output on failures?
Alternatives to Java Mail API
Is there an easy way to turn Future<Future<T>> into Future<T>?
How to refactor a top-level class or interface to an inner one in Eclipse?
how to get the size of message queue from akka actor?
Tool to convert regex between different language syntaxes?
How to find unclosed I/O resources in Java?
Unsatisfied dependencies for type [...] with qualifiers [@Default] at injection point (using @Stateful EJB with CDI)
Performance Explanation: code runs slower after warm up
Is there any library to Convert CAD to SVG? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!