The REST API can only be used with local OpenOLAT passwords. But when in a Shibboleth environment, the REST API must also be usable, e.g. for the mobile client. The goal is to implement an infrastructure which can be used to authenticate the REST API via Shibboleth.
One approach could be to use the Shibboleth authentication to generate a temporary OpenOLAT password. This must be cluster save. The shibboleth authentication then returns the temporary password together with the user name which in turn can be used to initiate a standard REST session. The REST auth service might be adapted to accept a temppassword parameter besides the normal password parameter if that simplifies things.