Roger Lipscombe Roger Lipscombe - 1 month ago 13
reST (reStructuredText) Question

Is there a standard for using SAML tokens with RESTful services?

I'm using SAML tokens to authenticate against a set of REST-ful services, by putting the SAML token in the

Authorization
header.

I can't find anything out there that would suggest that there's a standard way to do this. For example, do I use:

Authorization: Bearer <EncryptedAssertion ...


or:

Authorization: Bearer PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4=


or:

Authorization: SAML PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4=


or something else?

Note that the first one doesn't work if the certificate has multiple name components (because the comma messes up the header parsing).

The fact that I'm using 'Bearer' doesn't say anything about the format of the token.

Apache CXF appears to use the third variant.

Which one is standard? Is there a standard? If not, is there a de-facto standard?

Answer

The standard for custom auth schemes in HTTP is defined in the RFCs 2617 and 7235.

Authorization: scheme key="value", ...

I doubt there is a standard for your specific case, but I'd say this is acceptable:

Authorization: SAML bearer="PEVuY3J5cHRlZEFzc2VydGlvbiAuLi4="