OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] RE: How to provide SAML assertions in RESTful services

> Using HTTP Authorization header: Client app acquires SAML token(HOK) from
> STS and sends it in the Authorization header of the REST request. See
> http://bit.ly/aKPYB1

Unfortunately, it doesn't fit because of header size constraints enforced by
most servers. References become one option, but the deeper question is, do
you really want to send something like that on every REST call anyway?
Probably not. Which means we're back to cookies and/or client TLS, which is
why I like the SSO model of delivering a token once to exchange it for a
session. Which is why I think ECP fits. 

But this is not John's use case, so that's a mistake on my part.

> Outlook calling Google apps over REST using OAUTH + SAML. See
> http://bit.ly/bCkfIY

There are plenty of people doing this and similar things, and they'll get
plenty of traction, but I don't care for the approach of turning non-web
into web.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]