July 3, 2018 at 10:33 pm #22451
I understand the easy part where a user uses the browser to log in to a federated identity via SAML like such
Web browser -> our website -> Provide user/password via SAML to AM/OpenAM -> return to our website and stay logged in
However, I now need to connect out in-house API in a similar way:
Service/IoT -> our API -> authenticate via SAML to AM/OpenAM somehow -> return to API to execute function
The problem is that a service or IoT has no interface so I guess I need to authorize these services somehow and change my API code to authenticate to AM/OpenAM instead of using our current API key method. Unfortunately, I don’t really know the search terms for such a system, hence could not find any info on Google or in the forums.
Could anyone push me in the right direction, towards the correct documentation or provide me with the name of such a system to help me find how to make this happen?
MarcoJuly 4, 2018 at 10:09 am #22454Andrew PotterParticipant
I’d expect you to be looking at Oauth2 for this.
A client would typically acquire an Oauth2 ‘access_token’ from an Authorization Server. The access_token contains a set of ‘scopes’ (think permissions). The client then passes the access_token to the Resource Server with its request. The Resource Server validates the access_token and, if all is good, returns the data to the client.
In your case:
Client = Service/IoT
Resource Server = API (You can use IG to provide the Oauth2 token validation)
Authorization Server = AMJuly 4, 2018 at 3:42 pm #22456
Thanks Andrew, your answer really helped clear things out, and the terminology “Resource server” will help a lot in my reserch!
So there is no way to do this via SAML, it must be OAuth2?
If I understand correctly, This would be the workflow?
Service/IoT -> get access_token from AM (Resource Server not involved in this)
Service/IoT -> request Resource Server using the access_token -> RS uses IG/OpenIG to validate token with AM/OpenAM
MarcoJuly 4, 2018 at 5:56 pm #22457
(Our API is all PHP however, and we don’t have full control on the AM/OpenAM server, so I’m not sure we can use Identity Gateway on our API server)
You must be logged in to reply to this topic.