We have some Spring webservices running on EC2 and an OpenAM instance that is authenticating users against a mainframe for security(authentication & authorization). We have customized our OpenAM installation and implemented our own IdRepo SPI to authenticate against mainframe users during API invocation. Now, we want to put an API GW in front of our EC2 instance (Spring Webservices as well as OpenAM) and expose (some of) the Spring webservices as REST APIs. To address security, we need to configure OpenAM as IdP and the API Gateway as the SP and configure SAML or OpenID Connect. The problem here is that our rest clients will be browserless, so we are wondering if Apigee supports this. We need a product that has support for SAML ECP or OpenID Connect. We have the constraint that our users and their (authentication & authorization) credentials live on the mainframe and have to be resolved during runtime using our OpenAM's customized IdRepo. We want to use these same user identities coming in from these browserless clients to the API Gateway. Is there a proven design pattern we could apply?

@Mukundha Madhavan & @sarthak, could you please give us tips?