SAML for HTTP binding
I have a web service with SOAP-binding and SAML token being passed to it. It there any standard practice to apply SAML to HTTP-binding also? Could you propose any alternative?
(I need HTTP-binding because a want to use KVP requests and image/jpg mime type)
If your asking how do you authenticate an http request with a SAML token, the general answer is you don't. You authenticate to the service with a SAML token and then hand out a cookie for the http request. At least, this is how it is done for end users.
If your doing something with an API (e.g) a REST API , then you do something similar but without the cookie. You make an API call to authenticate,hand it a valid SAML token, and this gives you make a key, and you use those keys to sign (HMAC) the entire request. This can be done in the authorization header (which is the correct way to do it ) or appended as a paramater. The server checks the validity of the signature/HMAC on the message and if valid, executes API call.
This is a long disucssion of techniques. This is an MSDN article on doing so. Although its for C#,not java, the section on Security Considerations is directly applicable and the best I've found in some short googling.