REST API authentication with SAML

Question

I'm struggling to design a SAML2.0 authentication for a REST API using a gateway. REST is used between my backend and my application. I'm using Java Servlet filter and Spring.

I see two possibilities:

1. Adding the SAML tokens into the header each time.

2. Authenticate once with SAML, then using a session or similar (secure conversation) between the client and the gateway.

Case 1: It's a good solution because we are still RESTful but:

• SAML tokens are quite big. It's may generated problem due to big header size.
• Replaying tokens is not the best way for security concern.

Case 2: It's no more stateless and I have to managed a link with the client. Since I use a gateway, the underlying services can still be RESTful.

Case 2 looks for the better choice despite the fact that it does not follow the rest constraints.

Is someone had already to do it and give me some pointers (for design or implementation)?

Is there a better way to do it with SAML?

Any help or advice are welcome.

Answer 1

Also, you could generate a jwt token and put it inside of a SAML attribute: from this moment on you could pass the jwt inside of an http header.

It is sort of mixing oauth with saml but if you still need the latter for authentication it could be the way to go.

Answer 2

It is still draft, but: the OAuth2 SAML bearer profile may a possible solution. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-saml2-bearer-17

Use a SAML2 to authenticate to an OAuth2 provider, then call your service with the OAuth2 token.