When discussing about possible ways of implementing SSO for API Manager 3.0 (C5) we came up with following two approaches, In API Manager 3.0, store, publisher and admin apps will be Oauth clients, which works with access tokens.
1. Access token retrieved via SAML grant - When a user requests a resource, SAML client in the backend will create a SAML request and forwards to IDP - Once the user logged in to IDP, SAML response will be sent back to the client. - SAML response will be then validated and if successful user will be logged into the app. - Exchange the SAML token to an access token 2. Access token retrieved via Authorization code grant When a user requests a resource, if he is not authenticated he will be redirected to the Authorization server. Then user provides username / pwd there and will get an authorization code. Then that authorization code is used to obtain the access token and use that access token in subsequent calls. Therefore it seems that, there is no real need of using SAML here, and implementation wise its much simpler to use 2nd approach as there won't be any dependencies for SAML libraries like we had in C4. Appreciate your thoughts in this Image reference : https://www.mutuallyhuman.com/blog/2013/05/09/choosing- an-sso-strategy-saml-vs-oauth2/ Thanks, Sajith -- Sajith Kariyawasam *Associate Tech Lead* *WSO2 Inc.; http://wso2.com <http://wso2.com/>* *Committer and PMC member, Apache Stratos * *AMIE (SL)* *Mobile: 0772269575*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
