I'm struggling to design a SAML2.0 authentication for a REST API using a gateway. REST is used between my backend and my application. I'm using Java Servlet filter and Spring.

I see two possibilities:

1. Adding the SAML tokens into the header each time.

2. Authenticate once with SAML, then using a session or similar (secure conversation) between the client and the gateway.

Case 1: It's a good solution because we are still RESTful but:

• SAML tokens are quite big. It's may generated problem due to big header size.
• Replaying tokens is not the best way for security concern.

Case 2: It's no more stateless and I have to managed a link with the client. Since I use a gateway, the underlying services can still be RESTful.

Case 2 looks for the better choice despite the fact that it does not follow the rest constraints.

Is someone had already to do it and give me some pointers (for design or implementation)?

Is there a better way to do it with SAML?

Any help or advice are welcome.

It is still draft, but: the OAuth2 SAML bearer profile may a possible solution. http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-17

Use a SAML2 to authenticate to an OAuth2 provider, then call your service with the OAuth2 token.