SSO and SAML - Multiple Services Providers

Question

I have two Spring Boot application secured with Spring Security SAML extension. The two applications are already running. The first one (web-ui-app) is an user interface to the second one (services-app), a REST API.

After successfully access web-ui-app, correctly authenticated by the identity provider, I try to access some services-app's methods.

However, instead of receiving the correct response from services-app, a JSON response, I receive something like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <body onload="document.forms[0].submit()">
      <noscript>
         <p>
            <strong>Note:</strong> Since your browser does not support JavaScript, you must press the Continue button once to proceed.
         </p>
      </noscript>

      <form action="https://ServiceProvider.com/SAML/SLO/Browser" method="post">
         <div>
            <input type="hidden" name="RelayState" value="0043bfc1bc45110dae17004005b13a2b"/>
            <input type="hidden" name="SAMLRequest" value="PHNhbWxwOkxvZ291dFJlcXVlc3QgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iDQogICAgSUQ9ImQyYjdjMzg4Y2VjMzZmYTdjMzljMjhmZDI5ODY0NGE4IiBJc3N1ZUluc3RhbnQ9IjIwMDQtMDEtMjFUMTk6MDA6NDlaIiBWZXJzaW9uPSIyLjAiPg0KICAgIDxJc3N1ZXI+aHR0cHM6Ly9JZGVudGl0eVByb3ZpZGVyLmNvbS9TQU1MPC9Jc3N1ZXI+DQogICAgPE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OnBlcnNpc3RlbnQiPjAwNWEwNmUwLWFkODItMTEwZC1hNTU2LTAwNDAwNWIxM2EyYjwvTmFtZUlEPg0KICAgIDxzYW1scDpTZXNzaW9uSW5kZXg+MTwvc2FtbHA6U2Vzc2lvbkluZGV4Pg0KPC9zYW1scDpMb2dvdXRSZXF1ZXN0Pg=="/>
         </div>
         <noscript>
            <div>
               <input type="submit" value="Continue"/>
            </div>
         </noscript>
      </form>
   </body>
</html>

This is an SSO conversation. Isn't it suppose to be a transparent key exchange between services-app and the service provider, since I'm already logged in by web-ui-app?

What am I missing?

Answer 1

SAML can be used to secure a single application with a rest API, however, having a separate front end and back end that don't share an application or session context does not work. For instance, if you have a single application with the front end packaged in and configure it as a single service provider, the session will be valid for back end API requests.

That being said, if you keep the front end configured as a service provider, you can use stateless token based security for the REST API as you've mentioned. This architecture is preferred because it better than sessions. Any request should be able to go to any instance of the REST API and be handled, thus you can add or remove instances of the API to scale the application as needed.

JSON Web Tokens (JWT) is an good option as it allows you to store some information about the user in custom claims within the token. If all instances of the rest API sign the tokens with the same shared secret, any request can go to any instance and that instance will be able to decode the token and get the claim information (such as user id), without having to store it in an in memory cache or database.