I'm struggling to design a SAML2.0 authentication for a REST API using a gateway. REST is used between my backend and my application. I'm using Java Servlet filter and Spring.

我正在努力使用网关为 REST API 设计 SAML2.0 身份验证。REST 用于我的后端和我的应用程序之间。我正在使用 Java Servlet 过滤器和 Spring。

I see two possibilities:

我看到两种可能性：

1. Adding the SAML tokens into the header each time.

2. Authenticate once with SAML, then using a session or similar (secure conversation) between the client and the gateway.

1. 每次都将 SAML 令牌添加到标头中。

2. 使用 SAML 进行一次身份验证，然后在客户端和网关之间使用会话或类似（安全对话）。

Case 1:It's a good solution because we are still RESTful but:

案例 1：这是一个很好的解决方案，因为我们仍然是 RESTful，但是：

• SAML tokens are quite big. It's may generated problem due to big header size.
• Replaying tokens is not the best way for security concern.

• SAML 令牌相当大。由于大标题大小，它可能会产生问题。
• 重放令牌不是安全问题的最佳方式。

Case 2:It's no more stateless and I have to managed a link with the client. Since I use a gateway, the underlying services can still be RESTful.

案例 2：它不再是无状态的，我必须管理与客户端的链接。由于我使用网关，底层服务仍然可以是 RESTful。

Case 2 looks for the better choice despite the fact that it does not follow the rest constraints.

案例 2 寻找更好的选择，尽管它不遵循其余约束。

Is someone had already to do it and give me some pointers (for design or implementation)?

是否有人已经这样做并给我一些指示（用于设计或实现）？

Is there a better way to do it with SAML?

有没有更好的方法用 SAML 做到这一点？

Any help or advice are welcome.

欢迎任何帮助或建议。