Provided your REST APIs are only called by the web application which is deployed together with them (in a single war and therefore sharing the same HTTP session) you can use Spring SAML + Spring Security to secure them.

如果您的 REST API 仅由与它们一起部署的 Web 应用程序调用（在单个War中，因此共享相同的 HTTP 会话），您可以使用 Spring SAML + Spring Security 来保护它们。

Spring SAML will be used to authenticate the users against a remote IDP and populate their entitlements (granted authorities); Spring Security can then be used to define security policies for the APIs called from the UI.

Spring SAML 将用于针对远程 IDP 对用户进行身份验证并填充他们的权利（授予的权限）；然后可以使用 Spring Security 为从 UI 调用的 API 定义安全策略。

In case you want to be able to call the REST APIs from remote clients, you may want to look into the Spring Security OAuth project - as this is no longer about web single sign-on.

如果您希望能够从远程客户端调用 REST API，您可能需要查看 Spring Security OAuth 项目 - 因为这不再是关于 Web 单点登录。

It is possible to create a central installation of Spring SAML which handles all SSO logic. Of course you will need to implement a mechanism in which Spring SAML relays information about the authenticated user and her attributes to your other applications, and do so in a secure way. One possible way to approach it (provided the applications are deployed on the same domain and therefore can share cookies) is to:

可以创建 Spring SAML 的中央安装来处理所有 SSO 逻辑。当然，您需要实现一种机制，在该机制中 Spring SAML 将有关经过身份验证的用户及其属性的信息中继到您的其他应用程序，并以安全的方式进行。一种可能的方法（假设应用程序部署在同一个域中，因此可以共享 cookie）是：

• after authentication in Spring SAML set a shared cookie which is visible to all the other applications and which is e.g. signed by the Spring SAML's key, or encrypted using a shared key, the cookie should also contain user's attributes
• this can be done in a custom AuthenticationSuccessHandler which is subsequently expected to redirect user to the correct application (e.g. based on some custom logic or relay state)
• the target application needs to verify the cookie (by checking the signature or decrypting using a shared key, possibly performing other checks), parse the attributes and start own session which is pre-authenticated based on the content of the cookie

• 在 Spring SAML 中进行身份验证后，设置一个对所有其他应用程序可见的共享 cookie，例如由 Spring SAML 的密钥签名或使用共享密钥加密，cookie 还应包含用户的属性
• 这可以在自定义 AuthenticationSuccessHandler 中完成，随后预期将用户重定向到正确的应用程序（例如，基于某些自定义逻辑或中继状态）
• 目标应用程序需要验证 cookie（通过检查签名或使用共享密钥解密，可能执行其他检查），解析属性并启动自己的会话，该会话基于 cookie 的内容进行预身份验证

All of this can be done with implementations to standard interfaces of Spring Security and Spring SAML. But it's not a trivial task - mainly considering that any security vulnerability in your implementation might compromise security of your applications.

所有这些都可以通过实现 Spring Security 和 Spring SAML 的标准接口来完成。但这不是一项微不足道的任务 - 主要是考虑到您实现中的任何安全漏洞都可能危及应用程序的安全性。