Using the API with Federated Sign-in Module
To use the PAM APIs with the Federated Sign-in Module enabled please follow the procedure described in the Secure Authentication / Federated Authentication using this API guide.
There is a cas_auth function in the script example including the function itself and the example of its use.
For the token-based authentication for scripts (so to use it without user and password) look for the token_auth function on the same page.
In short, the flow is that the script takes user/password or a token and exchanges it for ticket-granting-ticket (TGT) in the Federated Sign-in Module returned in the Location header.
Then it posts to this location exchanging a ticket-granting-ticket to a service ticket (ST).
Then it uses PAM to exchange Service Ticket for a cookie (JSESSION) that it can use for all subsequent REST API calls.
Tickets are short-lived, whereas cookies are not. It is a standard practice for the headless federated sign in and is outlined in the cas_auth/token_auth examples.