Geek Answers Handbook

Is there a standard for using SAML tokens with RESTful services?

I use SAML tokens for authentication against the REST-ful set of services, putting the SAML token in the Authorization header.

I cannot find anything there that suggests that there is a standard way to do this. For example, I use:

 Authorization: Bearer <EncryptedAssertion ...

or

 Authorization: Bearer PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4=

or

 Authorization: SAML PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4=

or something else?

Please note that the first one does not work if there are several components of the name in the certificate (since the comma will ruin the header parsing).

The fact that I'm using Bearer says nothing about the token format.

Apache CXF seems to use the third option.

Which one is standard? Is there a standard? If not, is there a de facto standard?

+8
rest saml
source share
2 answers

The standard for custom authentication schemes in HTTP is defined in RFC 2617 and 7235.

 Authorization: scheme key="value", ...

I doubt that there is a standard for your specific case, but I would say that this is acceptable:

 Authorization: SAML bearer="PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4="
+5
source share

Having done quite a bit of research on this topic, I could not find a single standard that defines how to use the SAML token in the authorization header.

However, CXF, which is a fairly well-known Web-Serviec stack, supports the SAML token as follows:

 Authorization: SAML eJydV1m....9fYTCPr=

OAuth2 also defines how to authenticate with a SAML token to obtain an OAuth2 access token, which can then be used to call another REST service ( https://tools.ietf.org/html/rfc7522 )

 POST /token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer& assertion=PHNhbWxwOl...[omitted for brevity]...ZT4
+4
source share

More articles:


All Articles