Once SAML SSO is performed, the Service Provider (SP) has access to the SAML Assertion/Token for the user. Now the SP should be able to call a REST service with the SAML token and obtain a OAuth token.
- RESTEasy endpoint is required that accepts the SAML Token as a bearer token. More information on the OAuth bearer tokens is available at https://docs.jboss.org/author/display/PLINK/OAuth+Bearer+Tokens
- The endpoint should be secured.
- PicketLink has a login module as of v2.5.0.Final called as SAMLBearerTokenModule.
- The login module will validate the SAML Bearer Token and create a Principal for use by the REST Endpoint.
- REST Endpoint creates an OAuth Token out of the principal and sends back to the requesting client.
- Endpoint should store the OAuth Token along with a reference to the SAML token.
PicketLink v2.5.0.Final and above
- Use UUID
- Convert the SAML Token into base64 encoded string.
All encompassing PicketLink Quickstart.