I am developing an Angular application, which uses AWS lambda as the backend from which it fetches data.
I need to use SAML for user authentication. Only authenticated users should be able to invoke lambda functions through AWS API Gateway.
I understand that in SAML, the service provider should redirect requests without a security context to the IDP, and only allow requests with a valid security context. But I cannot understand how I can achieve this with AWS lambda.
Can anyone give some guidance on how I can achieve this?
For your scenario I’d recommend OAuth/OIDC, with your frontend obtaining an access token from Okta to be sent to your lambda. Here your lambda’s stateless nature won’t have any difficulties with authorizing user’s requests for data based on JWT. And it will be frontend’s task to obtain/maintain fresh access token.
Though SAML is also possible, you’ll have a task of maintaining user’s sessions, as SAML authN response is only sent once from Okta, so you’d need to keep a session info for your clients, to segregate authenticated ones from non-authN ones
I also understand it is much easier to be done with OIDC, but due to some reasons I have to go with SAML here. I am looking for a place to validate the security context of the requests before reaching lambda, and redirect any non authenticated requests to okta, and as you have mentioned, a mechanism to keep a session.