java - SSO and SAML - Multiple Services Providers -

i have 2 spring boot application secured spring security saml extension. 2 applications running. first 1 (web-ui-app) user interface second 1 (services-app), rest api.

after access web-ui-app, correctly authenticated identity provider, try access services-app's methods.

however, instead of receiving correct response services-app, json response, receive this:

<?xml version="1.0" encoding="utf-8"?> <!doctype html public "-//w3c//dtd xhtml 1.1//en" "http://www.w3.org/tr/xhtml11/dtd/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">    <body onload="document.forms[0].submit()">       <noscript>          <p>             <strong>note:</strong> since browser not support javascript, must press continue button once proceed.          </p>       </noscript>        <form action="https://serviceprovider.com/saml/slo/browser" method="post">          <div>             <input type="hidden" name="relaystate" value="0043bfc1bc45110dae17004005b13a2b"/>             <input type="hidden" name="samlrequest" value="phnhbwxwokxvz291dfjlcxvlc3qgeg1sbnm6c2ftbha9invybjpvyxnpczpuyw1lczp0yzptqu1mojiumdpwcm90b2nvbcigeg1sbnm9invybjpvyxnpczpuyw1lczp0yzptqu1mojiumdphc3nlcnrpb24idqogicagsuq9imqyyjdjmzg4y2vjmzzmytdjmzljmjhmzdi5ody0nge4iibjc3n1zuluc3rhbnq9ijiwmdqtmdetmjfumtk6mda6ndlaiibwzxjzaw9upsiyljaipg0kicagidxjc3n1zxi+ahr0chm6ly9jzgvudgl0evbyb3zpzgvylmnvbs9tqu1mpc9jc3n1zxi+dqogicagpe5hbwvjrcbgb3jtyxq9invybjpvyxnpczpuyw1lczp0yzptqu1mojiumdpuyw1lawqtzm9ybwf0onblcnnpc3rlbnqipjawnwewnmuwlwfkoditmtewzc1hntu2ltawndawnwixm2eyyjwvtmftzulepg0kicagidxzyw1scdptzxnzaw9usw5kzxg+mtwvc2ftbha6u2vzc2lvbkluzgv4pg0kpc9zyw1scdpmb2dvdxrszxf1zxn0pg=="/>          </div>          <noscript>             <div>                <input type="submit" value="continue"/>             </div>          </noscript>       </form>    </body> </html> 

this sso conversation. isn't suppose transparent key exchange between services-app , service provider, since i'm logged in web-ui-app?

what missing?

saml can used secure single application rest api, however, having separate front end , end don't share application or session context not work. instance, if have single application front end packaged in , configure single service provider, session valid end api requests.

that being said, if keep front end configured service provider, can use stateless token based security rest api you've mentioned. architecture preferred because better sessions. request should able go instance of rest api , handled, can add or remove instances of api scale application needed.

json web tokens (jwt) option allows store information user in custom claims within token. if instances of rest api sign tokens same shared secret, request can go instance , instance able decode token , claim information (such user id), without having store in in memory cache or database.