Make service/IoT connect to our API then to AM/OpenAM via SAML

This topic has 3 replies, 2 voices, and was last updated 3 years, 12 months ago by voxtel.

  • Author
  • #22451


    I understand the easy part where a user uses the browser to log in to a federated identity via SAML like such
    Web browser -> our website -> Provide user/password via SAML to AM/OpenAM -> return to our website and stay logged in

    However, I now need to connect out in-house API in a similar way:
    Service/IoT -> our API -> authenticate via SAML to AM/OpenAM somehow -> return to API to execute function

    The problem is that a service or IoT has no interface so I guess I need to authorize these services somehow and change my API code to authenticate to AM/OpenAM instead of using our current API key method. Unfortunately, I don’t really know the search terms for such a system, hence could not find any info on Google or in the forums.

    Could anyone push me in the right direction, towards the correct documentation or provide me with the name of such a system to help me find how to make this happen?



     Andrew Potter

    Hi Marco
    I’d expect you to be looking at Oauth2 for this.
    A client would typically acquire an Oauth2 ‘access_token’ from an Authorization Server. The access_token contains a set of ‘scopes’ (think permissions). The client then passes the access_token to the Resource Server with its request. The Resource Server validates the access_token and, if all is good, returns the data to the client.
    In your case:
    Client = Service/IoT
    Resource Server = API (You can use IG to provide the Oauth2 token validation)
    Authorization Server = AM


    Thanks Andrew, your answer really helped clear things out, and the terminology “Resource server” will help a lot in my reserch!

    So there is no way to do this via SAML, it must be OAuth2?

    If I understand correctly, This would be the workflow?
    Service/IoT -> get access_token from AM (Resource Server not involved in this)
    Service/IoT -> request Resource Server using the access_token -> RS uses IG/OpenIG to validate token with AM/OpenAM

    Thanks again!



    (Our API is all PHP however, and we don’t have full control on the AM/OpenAM server, so I’m not sure we can use Identity Gateway on our API server)

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?