1

So the problem I have is that the SAML already has been implemented in the project using spring-security-saml to integrate with federate IDP.

And now I need to secure REST API calls that are happening from a place where JSESSIONID can't be persisted so I want to exchange SAML Assertion that I get from federate to JWT to provide back to client side so it can be used in Authentication header.

For now I'm a bit lost, I was trying to use JwtAccessTokenConverter from spring-security-jwt to create a JWT token but can't figure out how to glue that together with SAML.

Can someone please shed some light on this one? Or maybe there is another option on how to secure REST API using SAML that I don't know.

Thank you!

Fedor Skrynnikov
  • 5,521
  • 4
  • 28
  • 32

1 Answers1

1

You can exchange your SAML token with JWT from your IDP if your IDP supports Oauth2 grant type urn:ietf:params:oauth:grant-type:saml2-bearer.

In this case you need to invoke oauth2 token endpoint of your IDP and pass the saml-assertion, client-id and client-secret and scope=openid as input and your IDP should return you JWT token, which you can use to secure your rest api. This jwt token will also contain all claims you received in SAML assertion.

Agam
  • 1,015
  • 2
  • 11
  • 21
  • Unfortunately our IDP doesn't support oauth2 grant. And I don't have an access to federate idp. The only access I have is the resource provider that receives SAML assertion so I want to exchange it and return jwt to the client side – Fedor Skrynnikov Feb 14 '18 at 07:24