To read more about Gluu and SAML read the blog written by Ben Lee here and the resulting series on building up a Gluu infrastructure starting here.
SAML also works as authorisation where each users information contains a list of groups that they belong to. For a RESTapi this allows us to segments routes or data to only be accessible to users that have permission to view that piece of data.
Stage Four – Security Integration Assessment
So what do the frameworks that have made it this far have to offer in the SAML department? Lets have a look!
The frameworks left are: ASP.Net Core, AWS API Gateway, Node.js on Express, Node.js on Restify, and Python on Flask.
ASP.Net has functioning SAML integration which would fulfil our needs, but one of the required packages has not yet been ported to the .Net Core libraries. This means that this functionality would not work natively on Linux and would require Mono or a similar framework to get it running. This has been known to cause both performance and functionality issues so at this time ASP.Net Core fails the Security Integration Test.
AWS API Gateway
AWS API Gateway has added custom authorises. This system allows API Gateway to trigger a Lambda that returns an authorised or not authorised message, which is then cached and then the API allows (or denies) access to the requested resource. This means that the API can use SAML as an authentication provider, but this must be built using node.js or python code in a Lambda call. An example of how this works (for the auth0 service) can be found here. While this is not a drop and run style solution it is a very extensible and elegant solution and worth the small initial investment of development time. That is a pass for AWS API Gateway.
Node.js on Express, Node.js on Restify
Node.js has a library called passport-saml. This is an authentication provider for Passport which is a middleware tool for authentication. passport-saml is just one of many authentication strategies supported by passport, which means that passport is a very extensible system. For Restify there is a port of the passport-saml library called passport-saml-restify. With both of these libraries being available and well documented implementing SAML security for our RESTapi endpoint should not be an issue for node.js.
So ASP.Net Core fell off our list, but the rest of the frameworks remain strong. That leaves us with the Express.js, Restify, Flask, and API Gateway! That’s it for this edition of the great RESTapi showdown, see you next time!
Tim Gray – Coffee to Code
Tim blogs about the sharp end of code and the languages it is written in.
You can read Tim’s What’s The Best Restful Web API Framework Part 1, Part 2, Part 3, Part 5 and Part 6 to get the whole picture or all of Tim’s blogs here.
We run regular business intelligence courses in both Wellington and Auckland. Find out more here.