vdenotaris
commented
6 years ago Yours is not a project issue, but a general question about the technology. For this kind of request, please use StackOverflow.
P.S.: I would suggest you to give a look at the ECP profiles specs.
hi @vdenotaris, I m new to SAML and trying to implement SAML authentication into my existing application. The current application has server and client relationship but it's using RESTFul interface and not meant to be used with browser although some REST GET request would work with the browser but the intend is to have client and server communicate over REST APIs. Here are some questions I m hoping you can help answered: 1) Does spring security saml extension work with REST application out of the box? If yes can you give me some guidance/examples? 2) If it doesn't work out of the box? What need to be done (in summary)? 3) Here are some issues I see with implementing SAML for REST APP: a) How do you deal with the redirect aspect of SAML where SP is supposed to redirect client to IDP? b) Since IDP seems to always present login form for client to authenticate, how would it be done with REST? b) Does the IDP suppose to provide REST API for client to call in order to authenticate? c) If IDP does need to provide APIs to client then does that mean my server/client SAML implementation is at the mercy of the IDP the end user would be using? I assumed each IDP would have their own APIs. 4) I am thinking for REST, client will request to be authenticated directly from IDP via REST API then IDP will authenticate client, generate a SAML token and send it directly to SP using the AssertionConsumerURL that's setup inside the SP metadata file. From there, SP would authenticate verify the SAML token and everything else will be similar to your example. 5) Is my assumption correct? Am I missing anything?