SAML2 With Stateless JWT

snacker · August 19, 2020, 1:42am

We have a React application that uses a java RESTful service.
Currently it passes user/pass to the rest service to login and the RESTful service creates the JWT headers for subsequent requests.
We need to change the application to use SAML2.
When the React application sends a request to the java RESTful service it correctly fails and redirects to the okta login page.
Once the user authenticates with the SAML2 okta page, it correctly redirects to the React url.
However, once the React url is accessed, the session keeps getting redirected back to saml urls which I’m assuming is due to the host/port being different.

In addition, the implementation of the okta spring java libraries use the session to store the authentication details, but we need to use JWT for stateless sessions across cloud servers.

Is there any way convert this to jwt with the okta java spring libraries instead of using the session?

mraible · August 19, 2020, 1:44am

Why do you need to use SAML over OIDC?

snacker · August 19, 2020, 6:58am

It is a client requirement to use SAML.

S3b · August 19, 2020, 3:01pm

Hi @mraible,

We are adding Okta support with SAML 2.0 as a business requirement driven by one of our customers which uses Okta with SAML 2.0 for other web apps they have.
We have a React SPA with a Springboot SP which currently acts as IdP authenticating users against a backend. Once user is authenticated, we use JWT (JWS) when calling the SP protected REST API endpoints. We would like to use same pattern if possible with Okta/SAML 2.0 not only for consistency, but also because we want to remain stateless in our communication with the middleware which is a cluster of servers behind a load balancer.
Thank you for your help,
Seb