Skip to end of metadata
Go to start of metadata

Requirement

Once SAML SSO is performed, the Service Provider (SP) has access to the SAML Assertion/Token for the user. Now the SP should be able to call a REST service with the SAML token and obtain a OAuth token.

Design

  • RESTEasy endpoint is required that accepts the SAML Token as a bearer token. More information on the OAuth bearer tokens is available at https://docs.jboss.org/author/display/PLINK/OAuth+Bearer+Tokens
  • The endpoint should be secured.
    • PicketLink has a login module as of v2.5.0.Final called as SAMLBearerTokenModule.
    • The login module will validate the SAML Bearer Token and create a Principal for use by the REST Endpoint.
  • REST Endpoint creates an OAuth Token out of the principal and sends back to the requesting client.
    • Endpoint should store the OAuth Token along with a reference to the SAML token.

Versions

RESTEasy (Any)

PicketLink v2.5.0.Final and above

How should the OAuth Token Look Like?

Options:

  1. Use UUID
  2. Convert the SAML Token into base64 encoded string.

Final Decision

All encompassing PicketLink Quickstart.

JIRA

https://issues.jboss.org/browse/PLINK-345

Labels:
oauth oauth Delete
oauth_saml oauth_saml Delete
resteasy resteasy Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.