Reputation: 1275
Pass SAML response from a Web App to the REST API for authentication?
We have a Web App using REST API. The REST API is based on Loopback and uses it's built-in token-based authentication. For the Web App we use forms based authentication over HTTPS, so the user has to enter his username and password which we then use to get access token from the REST API via POST /users/login endpoint.
One of our customers asked us to support single sign-on (SSO) authentication through SAML 2.0 and AD FS.
We configured our Web App as a service provider (Relying Party in AD FS) and managed to support SSO for it. The changeling part is the authentication between Web App and the REST API. The idea right now is to configure both Web App and the REST API as the same Relying Party and add new POST /users/saml-login endpoint to the REST API, so the Web App can send a SAML response to that end point and get an access token based on the claims specified in the SAML response. Everything else should work as it used to work before. Here is the flow I imagine:
- Web App generates SAML request and redirects a user to the IdP login page
- After a successful login the user is redirected back to the Web App with the SAML Response
- Web App acts as a proxy and redirects the SAML Response to the REST API endpoint (
POST /users/saml-login) where it is validated - If the SAML response is valid the API returns an access token based on the claims
- Web App uses access token for further communication with the REST API same as before
Here is the question: Is it OK to implement SAML-based SSO this way? Do you see any issues or security considerations with this approach? Are there any alternatives?
I have read a lot of articles on the web and questions here on StackOverflow about how to use SAML & REST API together:
- Propagate SAML Assertion Response/Security Context to downstream Services/Apps
- REST API authentication with SAML
- SAML and back-end REST service authentication
- Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them
None of them really helped me to confirm or reject the idea described above.
Upvotes: 8
Views: 7618
Answers (1)
Reputation: 1367
That sounds like a reasonable approach. I can't think of any security issues. You're simply re-posting the SAML response internally within your application for processing. As long as you then perform the various security checks on the SAML response and assertion within your REST API, there shouldn't be any issues.
Upvotes: 2
Related Questions
- REST API authentication with SAML
- SAML authentication for Application on Localhost
- How should I use SAML login with a REST API + SPA app?
- Pass SAML token into web api call
- How to authenthicate from my application to a SSO of my client
- Authenticating with ADAL via REST
- AD FS client authentication from a web-api app. How to?
- SSO implementation with ADFS and nginx
- How to programmatically request a web page from an application which uses ADFS
- SAML and back-end REST service authentication