RESTful SAML?

How should brokered authentication for such RESTful service calls be handled?

By Francois Lascelles	Article Rating:
February 16, 2010 10:50 PM EST	Reads:	4,733

Related
Print
Email
Feedback
Add This
Blog This

SOA & WOA Magazine on Ulitzer

Existing brokered authentication standards such as SAML Web Browser SSO or OpenID accommodate RESTful web services for browser driven use cases. However, what about RESTful service composition patterns where identities need to be propagated across nested service invocations, or any RESTful Web service client that is not browser based for that matter? How should brokered authentication for such RESTful service calls be handled?

An interesting example of a RESTful Security Token Service (STS) was described in March 2009 by Pablo Cibraro (aka ‘cibrax’). In this post, cibrax offers a mapping between WS-Trust actions and HTTP VERBs as well as a .net implementation sample. In this case, Request Security Token (RST) and Request Security Token Responses (RSTR) are passed as payloads without SOAP envelopes. My favorite part of cibrax’s example is that once the token has been received by the RESTful client, cibrax chooses the standard ‘Authorization’ HTTP header as a vehicle for the token when consuming the RESTful Web service – arguably more RESTful than an ugly form parameter.

This illustrates that not only token services and identity providers must adapt to enable SAML for RESTful Web services. Service providers and brokers must also accommodate the support of such patterns and the standardization of a binding would further the adoption of SAML for RESTful Web services.

CIO, CTO & Developer Resources

Read the original blog entry...

Published February 16, 2010 – Reads 4,733
Copyright © 2010 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

Related
Print
Email
Feedback
Add This
Blog This

More Stories By Francois Lascelles

As Layer 7’s Chief Architect, Francois Lascelles guides the solutions architecture team and aligns product evolution with field trends. Francois joined Layer 7 in the company’s infancy – contributing as the first developer and designing the foundation of Layer 7’s Gateway technology. Now in a field-facing role, Francois helps enterprise architects apply the latest standards and patterns. Francois is a regular blogger and speaker and is also co-author of Service-Oriented Infrastructure: On-Premise and in the Cloud, published by Prentice Hall. Francois holds a Bachelor of Engineering degree from Ecole Polytechnique de Montreal and a black belt in OAuth. Follow Francois on Twitter: @flascelles

Comments

RightScale Adds to "Multi-Cloud" Discussion

By Roger Strukhoff

cloudhosting14 wrote: As you would already know that managed hosting itself is another form of Cloud hosting in which the system administrations of servers is looked upon by the CPs. Similar is the case with managed multi Cloud hosting. You can very well understand how a big burden it would be to manage multi cloud servers for organization; this is why a service known as managed multi Cloud is provided to these users. This service ensures them the seam less running of their system administrative operations while organizations focus more on t...

May. 21, 2013 04:08 AM EDT

read more & respond »