Using WebAPI can I switch a SAML token to SWT?

Question

I am working on an API using ASP.NET WebAPI. Authentication is done by a 3rd party, and we are sent a SAML token that we authenticate (we are provided the certs to check).

However, I don't want to keep validating against the SAML token as it's quite large so I want to issue a Simple Web Token or something similar. All the examples I see on the web have a third party, or some sort of identity server issuing the SWT.

Is there any reason I can't just issue the token myself? I was looking into using wif.swt, or possibly just rolling my own. What do I need to consider to keep the token secure?

score 3 · Accepted Answer · edited Oct 07 '21 at 07:13

3

This is how I interpreted your proposal... you want the 3rd Party to send you a SAML token, once validated you then want to issue a smaller SWT as a session token that the 3rd party will thereafter use to talk to your service (presumably until some kind of expiration date)?

My first point is to say to take a look first at the JSON Web Token JWT, it should be even lighter in size than a SWT and most importantly the specification explains explicitly how the token should be secured (HMAC 256 signing or encryption).

there are many libraries out there that will let you work with these:

If the approach mentioned at the top was what you were after then there is an example here of taking a SAML token and returning a JWT session using the Thinktecture library.

edited Oct 07 '21 at 07:13

Community

1
1

answered Feb 23 '13 at 22:49

Mark Jones

12,156
2
50
62

Thanks for the suggestion about JWT. Will take a look at it and see if that works for me. – Simon C Feb 24 '13 at 20:09
Microsfot own link is depreciated now, do you have anyother option now – Dragon Mar 21 '17 at 10:02
@Dragon I have updated the old links with up to date links. The MS one is now System.IdentityModel.Tokens.Jwt 5.1.3 – Mark Jones Mar 21 '17 at 14:42

Using WebAPI can I switch a SAML token to SWT?

1 Answers1