SAML 2.0 Bearer Assertion Grant - SSO
https://tools.ietf.org/html/rfc7522#section-2.1
In order to use SAML 2.0 Bearer Assertion Grant for obtaining access tokens, following need to be done:
- Create a new SAML Authentication Method in SSO (for example saml.1)
- Create an IDP Metadata for the client which is going to use SAML 2.0 Bearer Assertion Grant and register the metadata in saml.1
- Essentially the IDP Metadata contains the RSA public key which SSO can use to validate the signature of the Assertion
- Add saml.1 as an allowed method in the Methods –tab of the OAuth2 agent
- Add the grant type in the list of allowed grant type in the client metadata of your OAuth2 Application
"grant_types":["urn:ietf:params:oauth:grant-type:saml2-bearer"]
Token Request
POST /uas/oauth2/token
Required parameters
- grant_type = urn:ietf:params:oauth:grant-type:saml2-bearer
Not allowed by default. Add to grant_types data into SSO Application client metadata.
- scope = openid <resource id …>
The value "openid" and one or more OAuth Client Identifiers of resource servers. See chapter Registeration Response in Client registration and activation - SSO.
- client_id & client_secret
OAuth Client Identifier and Secret of the native application
- assertion
Base64url encoded SAML 2.0 assertion
Sample token request
POST https://sso.example.com/uas/oauth2/tokenAuthorization: Basic MTc2MjQxNDM3NDoqKio= Content-Type: application/x-www-form-urlencoded grant_type= urn:ietf:params:oauth:grant-type:saml2-bearer &scope=1762414374&assertion= PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfMTc3YmIxMjI2MTU5YzE1YzdmNzQxOTdjODFjY2Q1M2M3ZDYyNTQ0MyIgSXNzdWVJbnN0YW50PSIyMDE2LTA1LTI1VDE4OjU1OjM3LjAzN1oiIFZlcnNpb249IjIuMCI-PHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij51cm46dXVpZDo1Mjc5MTNiYi04ZGYwLTMyMDktOGYxOS1lZTE1NDFhYTdiM2I8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD4KPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPgo8ZHM6UmVmZXJlbmNlIFVSST0iI18xNzdiYjEyMjYxNTljMTVjN2Y3NDE5N2M4MWNjZDUzYzdkNjI1NDQzIj4KPGRzOlRyYW5zZm9ybXM-CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI-PC9kczpUcmFuc2Zvcm0-CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPgo8L2RzOlRyYW5zZm9ybXM-CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiPjwvZHM6RGlnZXN0TWV0aG9kPgo8ZHM6RGlnZXN0VmFsdWU-ZFhoYktQbTd6RXMxNjFEZUFMMnJDWDBLMHhacGIrcCtKTjJYcEJuOGcxST08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU-ClV2NXE2Ri9XQ3JBaDVHRWg5dGxvRGdTMWJnN282OGw0Z3BZYkgrajVhYlRqV1N4aThaOWVMUHZZVHVJY0dMRTg2Tlp3RHVBbm5CeWEKK29zUXBqVys4ejlPaWVKd0YrTUpTQ0t1UFhXQW94bG0vdDNJMnlaK0ErMW9HS3BWWnlxa3pxNGowMjBLM0JsdjIwaDJZV0NuajZhNApUMzVsNDcvREVaUVE2RUtsOVRnPQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRD5zdWJqZWN0MTwvc2FtbDpOYW1lSUQ-PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNi0wNS0yNVQxOTowNTozNy4wMzdaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc3NvLmV4YW1wbGUuY29tOjg0NDMvdWFzL3JldHVybi9zYW1sLnRlc3RhcC9Bc3NlcnRpb25Db25zdW1lclNlcnZpY2UiPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YT48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdE9uT3JBZnRlcj0iMjAxNi0wNS0yNVQxOTowNTozNy4wMzdaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vc3NvLmV4YW1wbGUuY29tOjg0NDMvdWFzL3NhbWwyL25hbWVzL2FjL3NhbWwudGVzdGFwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNi0wNS0yNVQxODo1NTozNy4wMzdaIj48c2FtbDpBdXRobkNvbnRleHQ-PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6dW5zcGVjaWZpZWQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY-PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ-PC9zYW1sOkFzc2VydGlvbj4K
Token Response
See Access Token Response on page Authorization code grant and web single sign-on - SSO