[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] RE: How to provide SAML assertions in RESTful services
> Using HTTP Authorization header: Client app acquires SAML token(HOK) from > STS and sends it in the Authorization header of the REST request. See > http://bit.ly/aKPYB1 Unfortunately, it doesn't fit because of header size constraints enforced by most servers. References become one option, but the deeper question is, do you really want to send something like that on every REST call anyway? Probably not. Which means we're back to cookies and/or client TLS, which is why I like the SSO model of delivering a token once to exchange it for a session. Which is why I think ECP fits. But this is not John's use case, so that's a mistake on my part. > Outlook calling Google apps over REST using OAUTH + SAML. See > http://bit.ly/bCkfIY There are plenty of people doing this and similar things, and they'll get plenty of traction, but I don't care for the approach of turning non-web into web. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]