API Security with SAML Identity Provider

If the application is federated using SSO protocols such as SAML/OAuth/OIDC, the user generally doesn’t know his/her application credentials. The user only knows credentials of Identity Provider in this case. Hence basic authentication in such cases doesn’t work.

This is where our solution comes into the picture. We provide REST API authentication for various applications using federated identity.

Using miniOrange API gateway, you can authenticate the REST APIs of your application using login with SAML/OAuth/OIDC providers.



How miniOrange API Gateway protects your API’s with SAML 2.0 Federated Identity

Login with your Identity Provider credentials:

  1. Client Application send login request to miniOrange API gateway.
  2. miniOrange send SAML SSO request to your IdP (e.g. ADFS, Okta, etc) and take you to the IdP login page.
  3. On successful authentication, IdP send back SAML response to API gateway.
  4. miniOrange validate the SAML response and generate JWT token with the claims found in SAML Assertion.
  5. miniOrange send JWT token to the client application.
Access API’s with JWT token:

  1. Client application makes request to API’s through miniOrange API gateway and received JWT token above as a Authorization Header.
  2. API gateway validates the JWT token.
  3. If token is valid, API gateway forwards the request to the API or Resource Server.
  4. Response returned from API server is sent back to the client application.


What Security Guidelines we follow to secure your API’s:


Enforce HTTPS / TLS connection:

We provide an option to enforce the use of HTTP over SSL in API requests, which transfer your credentials securely.


Input Parameter Validation to prevent injections:

Validate request parameters on the very first step, before it reaches your API Server. Our strong validation checks blocks the access immediately if input validation fails, which helps to prevent SQL injection and other attacks.

We support the input validation specified by OWASP REST Security guidelines.


Timestamp in Request:

Along with other request parameters, we provide option to add a request timestamp as HTTP custom header in API request. The server will compare the current timestamp to the request timestamp, and only accepts the request if it is within the allowed timeframe (60-300 seconds). This will prevent replay attacks from attackers who are trying to brute force your system without changing this timestamp.


Digitally Sign API requests and responses:

We support API requests and responses in signed manner as a added security.

API call with digitally signed requests make sure that API requests are coming from the trusted partner or client.


Rate Limiting:

We protect your APIs with rate-limiting to mitigate distributed denial-of-service (DDoS) attacks and protecting the backend applications that process the API calls.