I am working on an API using ASP.NET WebAPI. Authentication is done by a 3rd party, and we are sent a SAML token that we authenticate (we are provided the certs to check).
However, I don't want to keep validating against the SAML token as it's quite large so I want to issue a Simple Web Token or something similar. All the examples I see on the web have a third party, or some sort of identity server issuing the SWT.
Is there any reason I can't just issue the token myself? I was looking into using wif.swt, or possibly just rolling my own. What do I need to consider to keep the token secure?
This is how I interpreted your proposal... you want the 3rd Party to send you a SAML token, once validated you then want to issue a smaller SWT as a session token that the 3rd party will thereafter use to talk to your service (presumably until some kind of expiration date)?
My first point is to say to take a look first at the JSON Web Token JWT, it should be even lighter in size than a SWT and most importantly the specification explains explicitly how the token should be secured (HMAC 256 signing or encryption).
there are many libraries out there that will let you work with these:
If the approach mentioned at the top was what you were after then there is an example here of taking a SAML token and returning a JWT session using the Thinktecture library.