Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

REST API authentication with SAML

I'm struggling to design a SAML2.0 authentication for a REST API using a gateway. REST is used between my backend and my application. I'm using Java Servlet filter and Spring.

I see two possibilities:

  1. Adding the SAML tokens into the header each time.

  2. Authenticate once with SAML, then using a session or similar (secure conversation) between the client and the gateway.

Case 1: It's a good solution because we are still RESTful but:

  • SAML tokens are quite big. It's may generated problem due to big header size.
  • Replaying tokens is not the best way for security concern.

Case 2: It's no more stateless and I have to managed a link with the client. Since I use a gateway, the underlying services can still be RESTful.

Case 2 looks for the better choice despite the fact that it does not follow the rest constraints.

Is someone had already to do it and give me some pointers (for design or implementation)?

Is there a better way to do it with SAML?

Any help or advice are welcome.

like image 577
Nereis Avatar asked Oct 18 '13 09:10

Nereis


People also ask

Does SAML work with REST API?

All clients follow a basic message flow to access the REST API using SAML. Whereas CSM acts as both the service provider and the identity provider in OAuth2 protocol, SAML protocol introduces a third-party identity provider.

Can you use OAuth and SAML together?

Can you use both SAML and OAuth? Yes, you can. The Client can get a SAML assertion from the IdP and request the Authorization Server to grant access to the Resource Server. The Authorization Server can then verify the identity of the user and pass back an OAuth token in the HTTP header to access the protected resource.

Can I use SAML for authorization?

SAML is a protocol that can be used for exchange of any information, including authorization-related "stuff". For example, in a very simple role-based access control scenario a SAML assertion issued by the identity provider can contain user's roles represented as attributes (or a single multi-valued attribute).


1 Answers

It is still draft, but: the OAuth2 SAML bearer profile may a possible solution. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-17

Use a SAML2 to authenticate to an OAuth2 provider, then call your service with the OAuth2 token.

like image 178
Zelgada Avatar answered Sep 28 '22 13:09

Zelgada