Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

https://tools.ietf.org/html/rfc7522#section-2.1
In order to use SAML 2.0 Bearer Assertion Grant for obtaining access tokens, following need to be done:

  1. Create a new SAML Authentication Method in SSO (for example saml.1)
  2. Create an IDP Metadata for the client which is going to use SAML 2.0 Bearer Assertion Grant and register the metadata in saml.1
    • Essentially the IDP Metadata contains the RSA public key which SSO can use to validate the signature of the Assertion
  3. Add saml.1 as an allowed method in the Methods –tab of the OAuth2 agent
  4. Add the grant type in the list of allowed grant type in the client metadata of your OAuth2 Agent


    • Wiki Markup
      "grant_types":\["urn:ietf:params:oauth:grant-type:saml2-bearer"\]


Anchor
_Toc452021358
_Toc452021358
Token Request

Anchor
_Toc452021359
_Toc452021359
POST /uas/oauth2/token

Required parameters

  • grant_type = urn:ietf:params:oauth:grant-type:saml2-bearer

Not allowed by default. Add to grant_types data into SSO Agent client metadata.

  • scope = openid <resource id …>

The value "openid" and one or more OAuth Client Identifiers of resource servers. See Registeration Response

  • client_id & client_secret

OAuth Client Identifier and Secret of the native application

  • assertion

Base64url encoded SAML 2.0 assertion


Code Block
languagexml
themeRDark
titleSample token request
POST https://sso.example.com/uas/oauth2/tokenAuthorization: Basic MTc2MjQxNDM3NDoqKio= Content-Type: application/x-www-form-urlencoded
grant_type= urn:ietf:params:oauth:grant-type:saml2-bearer &scope=1762414374&assertion= PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfMTc3YmIxMjI2MTU5YzE1YzdmNzQxOTdjODFjY2Q1M2M3ZDYyNTQ0MyIgSXNzdWVJbnN0YW50PSIyMDE2LTA1LTI1VDE4OjU1OjM3LjAzN1oiIFZlcnNpb249IjIuMCI-PHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij51cm46dXVpZDo1Mjc5MTNiYi04ZGYwLTMyMDktOGYxOS1lZTE1NDFhYTdiM2I8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD4KPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPgo8ZHM6UmVmZXJlbmNlIFVSST0iI18xNzdiYjEyMjYxNTljMTVjN2Y3NDE5N2M4MWNjZDUzYzdkNjI1NDQzIj4KPGRzOlRyYW5zZm9ybXM-CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI-PC9kczpUcmFuc2Zvcm0-CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPgo8L2RzOlRyYW5zZm9ybXM-CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiPjwvZHM6RGlnZXN0TWV0aG9kPgo8ZHM6RGlnZXN0VmFsdWU-ZFhoYktQbTd6RXMxNjFEZUFMMnJDWDBLMHhacGIrcCtKTjJYcEJuOGcxST08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU-ClV2NXE2Ri9XQ3JBaDVHRWg5dGxvRGdTMWJnN282OGw0Z3BZYkgrajVhYlRqV1N4aThaOWVMUHZZVHVJY0dMRTg2Tlp3RHVBbm5CeWEKK29zUXBqVys4ejlPaWVKd0YrTUpTQ0t1UFhXQW94bG0vdDNJMnlaK0ErMW9HS3BWWnlxa3pxNGowMjBLM0JsdjIwaDJZV0NuajZhNApUMzVsNDcvREVaUVE2RUtsOVRnPQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRD5zdWJqZWN0MTwvc2FtbDpOYW1lSUQ-PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNi0wNS0yNVQxOTowNTozNy4wMzdaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc3NvLmV4YW1wbGUuY29tOjg0NDMvdWFzL3JldHVybi9zYW1sLnRlc3RhcC9Bc3NlcnRpb25Db25zdW1lclNlcnZpY2UiPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YT48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdE9uT3JBZnRlcj0iMjAxNi0wNS0yNVQxOTowNTozNy4wMzdaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vc3NvLmV4YW1wbGUuY29tOjg0NDMvdWFzL3NhbWwyL25hbWVzL2FjL3NhbWwudGVzdGFwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNi0wNS0yNVQxODo1NTozNy4wMzdaIj48c2FtbDpBdXRobkNvbnRleHQ-PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6dW5zcGVjaWZpZWQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY-PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ-PC9zYW1sOkFzc2VydGlvbj4K


Anchor
_Toc452021360
_Toc452021360
Token Response

See Access Token Response on page Authorization code grant and web single sign-on.