SAML for HTTP binding

I have a web service with SOAP-binding and SAML token being passed to it. It there any standard practice to apply SAML to HTTP-binding also? Could you propose any alternative?

(I need HTTP-binding because a want to use KVP requests and image/jpg mime type)

Answers


If your asking how do you authenticate an http request with a SAML token, the general answer is you don't. You authenticate to the service with a SAML token and then hand out a cookie for the http request. At least, this is how it is done for end users.

If your doing something with an API (e.g) a REST API , then you do something similar but without the cookie. You make an API call to authenticate,hand it a valid SAML token, and this gives you make a key, and you use those keys to sign (HMAC) the entire request. This can be done in the authorization header (which is the correct way to do it ) or appended as a paramater. The server checks the validity of the signature/HMAC on the message and if valid, executes API call.

This is a long disucssion of techniques. This is an MSDN article on doing so. Although its for C#,not java, the section on Security Considerations is directly applicable and the best I've found in some short googling.


Need Your Help

System Calls to block incoming calls in iphone 4

iphone callblocking

Is there a way to block/filter the incoming calls in iphone 4.0+

Set tag referenced in code, storyboard?

ios objective-c storyboard

I'm updated an iOS app I did not initially build, and the tags from the storyboard where somehow used which I'm not familiar with how to set - are used to identify buttons within a scrollview. Cou...