Spring SAML Security Implementation

If your REST APIs are only called by the web application that is deployed along with them (in the same war and therefore sharing the same HTTP session), you can use Spring SAML + Spring Security to secure them.

Spring SAML will be used to authenticate users against the remote IDP and populate their rights (granted credentials); Spring Security can then be used to define security policies for APIs called from the UI.

If you want to be able to call REST APIs from remote clients, you might want to look into the Spring Security OAuth project - as this is no longer web SSO.

You can create a central Spring SAML installation that handles all the SSO logic. Of course, you will need to implement a mechanism in which Spring SAML passes the authenticated user information and its attributes to your other applications in a secure manner. One possible way to approach it (assuming the apps are deployed in the same domain and therefore can share cookies):

• after authentication in Spring SAML sets a common cookie that is visible to all other applications and which, for example, signed with a Spring SAML key or encrypted using a public key, the cookie must also contain user attributes
• this can be done in a custom AuthenticationSuccessHandler, which is expected to redirect the user to the correct application (eg based on some custom logic or relay state).
• the target application needs to validate the cookie (by verifying the signature or decrypting using the shared key, perhaps performing other checks), parse the attributes, and start its own session that is pre-authenticated based on the content of the cookie

All of this can be done by implementing the standard Spring Security and Spring SAML interfaces. But this is not a trivial task - mainly considering that any security vulnerability in your implementation could compromise the security of your applications.