REST API authentication with SAML

Asked 18/10, 2013 at 9:27 Answered 13/4, 2022 at 20:20

I'm struggling to design a SAML2.0 authentication for a REST API using a gateway. REST is used between my backend and my application. I'm using Java Servlet filter and Spring.

I see two possibilities:

Adding the SAML tokens into the header each time.
Authenticate once with SAML, then using a session or similar (secure conversation) between the client and the gateway.

Case 1: It's a good solution because we are still RESTful but:

SAML tokens are quite big. It's may generated problem due to big header size.
Replaying tokens is not the best way for security concern.

Case 2: It's no more stateless and I have to managed a link with the client. Since I use a gateway, the underlying services can still be RESTful.

Case 2 looks for the better choice despite the fact that it does not follow the rest constraints.

Is someone had already to do it and give me some pointers (for design or implementation)?

Is there a better way to do it with SAML?

Any help or advice are welcome.

Langlauf answered 18/10, 2013 at 9:27 Comment(4)

Use the second approach. Many service providers will reject replayed tokens anyway. Is this to authenticate users or your client software? – Pentagrid 18/10, 2013 at 10:18

It is to authenticate users – Langlauf 18/10, 2013 at 11:56

You may also have a look using OAuth2 for the same if you're open to have SAML alternate. – Ophthalmitis 18/10, 2013 at 14:21

There is no such thing as a SAML token. Did you mean putting the SAML Assertion in an Authorization header? Because a SAML assertion can only be consumed once, since it has a unique ID (to prevent replay attacks). Also, each SAML assertion typically only has a small window of time in which it is valid (usually just a few minutes). – Pipestone 7/12, 2016 at 18:25

It is still draft, but: the OAuth2 SAML bearer profile may a possible solution. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-17

Use a SAML2 to authenticate to an OAuth2 provider, then call your service with the OAuth2 token.

Barghest answered 21/10, 2013 at 20:22 Comment(6)

Oh, I'd not herd of that. – Pentagrid 22/10, 2013 at 2:45

It looks to be the way to go. Several big names of the web use OAuth with JSON web token (JWT) to secure their REST service. Also refer to this draft: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-05#page-21 and to Security tokens service (STS) keyworld – Langlauf 22/11, 2013 at 7:22

So, how do I used SAML2 to authenticate an OAuth2 provider? – Hasen 4/4, 2014 at 22:57

You use an STS to do the translation. It will eat an OAuth2 token and generate a SAML2 token. – Langlauf 15/10, 2014 at 6:51

How the signed/encrypted assertion can be passed? Does the Caller has to decrypt them? – Terminator 5/5, 2021 at 10:5

The token is either pass through the browser or add by a proxy. It doesn't change from a standard authentication workflow excepted you are doing it twice. – Langlauf 25/5, 2023 at 5:53

Also, you could generate a jwt token and put it inside of a SAML attribute: from this moment on you could pass the jwt inside of an http header.

It is sort of mixing oauth with saml but if you still need the latter for authentication it could be the way to go.

Iconoscope answered 13/4, 2022 at 20:20 Comment(0)

Recommended topics

Hot tags