SAML 2.0 Bearer Assertion Grant - SSO

https://tools.ietf.org/html/rfc7522#section-2.1
In order to use SAML 2.0 Bearer Assertion Grant for obtaining access tokens, following need to be done:

  1. Create a new SAML Authentication Method in SSO (for example saml.1)
  2. Create an IDP Metadata for the client which is going to use SAML 2.0 Bearer Assertion Grant and register the metadata in saml.1
    • Essentially the IDP Metadata contains the RSA public key which SSO can use to validate the signature of the Assertion
  3. Add saml.1 as an allowed method in the Methods –tab of the OAuth2 agent
  4. Add the grant type in the list of allowed grant type in the client metadata of your OAuth2 Application
    • "grant_types":["urn:ietf:params:oauth:grant-type:saml2-bearer"]

Token Request

POST /uas/oauth2/token

Required parameters

  • grant_type = urn:ietf:params:oauth:grant-type:saml2-bearer

Not allowed by default. Add to grant_types data into SSO Application client metadata.

  • scope = openid <resource id …>

The value "openid" and one or more OAuth Client Identifiers of resource servers. See chapter Registeration Response in Client registration and activation - SSO.

  • client_id & client_secret

OAuth Client Identifier and Secret of the native application

  • assertion

Base64url encoded SAML 2.0 assertion


Sample token request
POST https://sso.example.com/uas/oauth2/token
Authorization: Basic MTc2MjQxNDM3NDoqKio= 
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&scope=openid&assertion=PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfMTc3YmIxMjI2MTU5YzE1YzdmNzQxOTdjODFjY2Q1M2M3ZDYyNTQ0MyIgSXNzdWVJbnN0YW50PSIyMDE2LTA1LTI1VDE4OjU1OjM3LjAzN1oiIFZlcnNpb249IjIuMCI-PHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij51cm46dXVpZDo1Mjc5MTNiYi04ZGYwLTMyMDktOGYxOS1lZTE1NDFhYTdiM2I8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD4KPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPgo8ZHM6UmVmZXJlbmNlIFVSST0iI18xNzdiYjEyMjYxNTljMTVjN2Y3NDE5N2M4MWNjZDUzYzdkNjI1NDQzIj4KPGRzOlRyYW5zZm9ybXM-CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI-PC9kczpUcmFuc2Zvcm0-CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPgo8L2RzOlRyYW5zZm9ybXM-CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiPjwvZHM6RGlnZXN0TWV0aG9kPgo8ZHM6RGlnZXN0VmFsdWU-ZFhoYktQbTd6RXMxNjFEZUFMMnJDWDBLMHhacGIrcCtKTjJYcEJuOGcxST08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU-ClV2NXE2Ri9XQ3JBaDVHRWg5dGxvRGdTMWJnN282OGw0Z3BZYkgrajVhYlRqV1N4aThaOWVMUHZZVHVJY0dMRTg2Tlp3RHVBbm5CeWEKK29zUXBqVys4ejlPaWVKd0YrTUpTQ0t1UFhXQW94bG0vdDNJMnlaK0ErMW9HS3BWWnlxa3pxNGowMjBLM0JsdjIwaDJZV0NuajZhNApUMzVsNDcvREVaUVE2RUtsOVRnPQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRD5zdWJqZWN0MTwvc2FtbDpOYW1lSUQ-PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNi0wNS0yNVQxOTowNTozNy4wMzdaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc3NvLmV4YW1wbGUuY29tOjg0NDMvdWFzL3JldHVybi9zYW1sLnRlc3RhcC9Bc3NlcnRpb25Db25zdW1lclNlcnZpY2UiPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YT48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdE9uT3JBZnRlcj0iMjAxNi0wNS0yNVQxOTowNTozNy4wMzdaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vc3NvLmV4YW1wbGUuY29tOjg0NDMvdWFzL3NhbWwyL25hbWVzL2FjL3NhbWwudGVzdGFwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNi0wNS0yNVQxODo1NTozNy4wMzdaIj48c2FtbDpBdXRobkNvbnRleHQ-PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6dW5zcGVjaWZpZWQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY-PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ-PC9zYW1sOkFzc2VydGlvbj4K

Token Response

See Access Token Response on page Authorization code grant and web single sign-on - SSO