Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

https://tools.ietf.org/html/rfc7522#section-2.1
In order to use SAML 2.0 Bearer Assertion Grant for obtaining access tokens, following need to be done:

  1. Create a new SAML Authentication Method in SSO (for example saml.1)
  2. Create an IDP Metadata for the client which is going to use SAML 2.0 Bearer Assertion Grant and register the metadata in saml.1
    • Essentially the IDP Metadata contains the RSA public key which SSO can use to validate the signature of the Assertion
  3. Add saml.1 as an allowed method in the Methods –tab of the OAuth2 agent
  4. Add the grant type in the list of allowed grant type in the client metadata of your OAuth2 Agent

    • "grant_types":["urn:ietf:params:oauth:grant-type:saml2-bearer"]

Token Request

POST /uas/oauth2/token

Required parameters

  • grant_type = urn:ietf:params:oauth:grant-type:saml2-bearer

Not allowed by default. Add to grant_types data into SSO Agent client metadata.

  • scope = openid <resource id …>

The value "openid" and one or more OAuth Client Identifiers of resource servers. See Registeration Response

  • client_id & client_secret

OAuth Client Identifier and Secret of the native application

  • assertion

Base64url encoded SAML 2.0 assertion


Sample token request
POST https://sso.example.com/uas/oauth2/tokenAuthorization: Basic MTc2MjQxNDM3NDoqKio= Content-Type: application/x-www-form-urlencoded
grant_type= urn:ietf:params:oauth:grant-type:saml2-bearer &scope=1762414374&assertion= PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfMTc3YmIxMjI2MTU5YzE1YzdmNzQxOTdjODFjY2Q1M2M3ZDYyNTQ0MyIgSXNzdWVJbnN0YW50PSIyMDE2LTA1LTI1VDE4OjU1OjM3LjAzN1oiIFZlcnNpb249IjIuMCI-PHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij51cm46dXVpZDo1Mjc5MTNiYi04ZGYwLTMyMDktOGYxOS1lZTE1NDFhYTdiM2I8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD4KPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPgo8ZHM6UmVmZXJlbmNlIFVSST0iI18xNzdiYjEyMjYxNTljMTVjN2Y3NDE5N2M4MWNjZDUzYzdkNjI1NDQzIj4KPGRzOlRyYW5zZm9ybXM-CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI-PC9kczpUcmFuc2Zvcm0-CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPgo8L2RzOlRyYW5zZm9ybXM-CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiPjwvZHM6RGlnZXN0TWV0aG9kPgo8ZHM6RGlnZXN0VmFsdWU-ZFhoYktQbTd6RXMxNjFEZUFMMnJDWDBLMHhacGIrcCtKTjJYcEJuOGcxST08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU-ClV2NXE2Ri9XQ3JBaDVHRWg5dGxvRGdTMWJnN282OGw0Z3BZYkgrajVhYlRqV1N4aThaOWVMUHZZVHVJY0dMRTg2Tlp3RHVBbm5CeWEKK29zUXBqVys4ejlPaWVKd0YrTUpTQ0t1UFhXQW94bG0vdDNJMnlaK0ErMW9HS3BWWnlxa3pxNGowMjBLM0JsdjIwaDJZV0NuajZhNApUMzVsNDcvREVaUVE2RUtsOVRnPQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRD5zdWJqZWN0MTwvc2FtbDpOYW1lSUQ-PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNi0wNS0yNVQxOTowNTozNy4wMzdaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc3NvLmV4YW1wbGUuY29tOjg0NDMvdWFzL3JldHVybi9zYW1sLnRlc3RhcC9Bc3NlcnRpb25Db25zdW1lclNlcnZpY2UiPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YT48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdE9uT3JBZnRlcj0iMjAxNi0wNS0yNVQxOTowNTozNy4wMzdaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vc3NvLmV4YW1wbGUuY29tOjg0NDMvdWFzL3NhbWwyL25hbWVzL2FjL3NhbWwudGVzdGFwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNi0wNS0yNVQxODo1NTozNy4wMzdaIj48c2FtbDpBdXRobkNvbnRleHQ-PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6dW5zcGVjaWZpZWQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY-PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ-PC9zYW1sOkFzc2VydGlvbj4K


Token Response

See Access Token Response on page Authorization code grant and web single sign-on.

  • No labels

Ubisecure Privacy Policy & Cookie Statement