Hi everyone. This is my plan for making a secure SAML login for the web service I’m building. If you see any red flags, please point them out: • enforce https • have the user go through the regular SAML authentication flow • upon succesful authentication, generate a session token and store it as a cookie (using ring session) • check for a valid session cookie for every request to any endpoints requiring authentication. If n/a send a forbidden response. • give every session token a relatively short time to live
Does this sound ok?