Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a web service with SOAP-binding and SAML token being passed to it. It there any standard practice to apply SAML to HTTP-binding also? Could you propose any alternative?
(I need HTTP-binding because a want to use KVP requests and image/jpg mime type)
If your asking how do you authenticate an http request with a SAML token, the general answer is you don’t. You authenticate to the service with a SAML token and then hand out a cookie for the http request. At least, this is how it is done for end users.
If your doing something with an API (e.g) a REST API , then you do something similar but without the cookie. You make an API call to authenticate,hand it a valid SAML token, and this gives you make a key, and you use those keys to sign (HMAC) the entire request. This can be done in the authorization header (which is the correct way to do it ) or appended as a paramater. The server checks the validity of the signature/HMAC on the message and if valid, executes API call.
This is a long disucssion of techniques. This is an MSDN article on doing so. Although its for C#,not java, the section on Security Considerations is directly applicable and the best I’ve found in some short googling.