https://tools.ietf.org/html/rfc7522#section-2.1
In order to use SAML 2.0 Bearer Assertion Grant for obtaining access tokens, following need to be done:

Create a new SAML Authentication Method in SSO (for example saml.1)
Create an IDP Metadata for the client which is going to use SAML 2.0 Bearer Assertion Grant and register the metadata in saml.1
- Essentially the IDP Metadata contains the RSA public key which SSO can use to validate the signature of the Assertion
Add saml.1 as an allowed method in the Methods –tab of the OAuth2 agent
Add the grant type in the list of allowed grant type in the client metadata of your OAuth2 Application
- "grant_types":["urn:ietf:params:oauth:grant-type:saml2-bearer"]

Token Request

POST /uas/oauth2/token

Required parameters

grant_type = urn:ietf:params:oauth:grant-type:saml2-bearer

Not allowed by default. Add to grant_types data into SSO Application client metadata.

scope = openid <resource id …>

The value "openid" and one or more OAuth Client Identifiers of resource servers. See chapter Registeration Response in Client registration and activation - SSO.

client_id & client_secret

OAuth Client Identifier and Secret of the native application

assertion

Base64url encoded SAML 2.0 assertion

Sample token request

POST https://sso.example.com/uas/oauth2/token
Authorization: Basic MTc2MjQxNDM3NDoqKio= 
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&scope=openid&assertion=PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfMTc3YmIxMjI2MTU5YzE1YzdmNzQxOTdjODFjY2Q1M2M3ZDYyNTQ0MyIgSXNzdWVJbnN0YW50PSIyMDE2LTA1LTI1VDE4OjU1OjM3LjAzN1oiIFZlcnNpb249IjIuMCI-PHNhbWw6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij51cm46dXVpZDo1Mjc5MTNiYi04ZGYwLTMyMDktOGYxOS1lZTE1NDFhYTdiM2I8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZD4KPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiPjwvZHM6U2lnbmF0dXJlTWV0aG9kPgo8ZHM6UmVmZXJlbmNlIFVSST0iI18xNzdiYjEyMjYxNTljMTVjN2Y3NDE5N2M4MWNjZDUzYzdkNjI1NDQzIj4KPGRzOlRyYW5zZm9ybXM-CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSI-PC9kczpUcmFuc2Zvcm0-CjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjwvZHM6VHJhbnNmb3JtPgo8L2RzOlRyYW5zZm9ybXM-CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiPjwvZHM6RGlnZXN0TWV0aG9kPgo8ZHM6RGlnZXN0VmFsdWU-ZFhoYktQbTd6RXMxNjFEZUFMMnJDWDBLMHhacGIrcCtKTjJYcEJuOGcxST08L2RzOkRpZ2VzdFZhbHVlPgo8L2RzOlJlZmVyZW5jZT4KPC9kczpTaWduZWRJbmZvPgo8ZHM6U2lnbmF0dXJlVmFsdWU-ClV2NXE2Ri9XQ3JBaDVHRWg5dGxvRGdTMWJnN282OGw0Z3BZYkgrajVhYlRqV1N4aThaOWVMUHZZVHVJY0dMRTg2Tlp3RHVBbm5CeWEKK29zUXBqVys4ejlPaWVKd0YrTUpTQ0t1UFhXQW94bG0vdDNJMnlaK0ErMW9HS3BWWnlxa3pxNGowMjBLM0JsdjIwaDJZV0NuajZhNApUMzVsNDcvREVaUVE2RUtsOVRnPQo8L2RzOlNpZ25hdHVyZVZhbHVlPgo8L2RzOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRD5zdWJqZWN0MTwvc2FtbDpOYW1lSUQ-PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxNi0wNS0yNVQxOTowNTozNy4wMzdaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc3NvLmV4YW1wbGUuY29tOjg0NDMvdWFzL3JldHVybi9zYW1sLnRlc3RhcC9Bc3NlcnRpb25Db25zdW1lclNlcnZpY2UiPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YT48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdE9uT3JBZnRlcj0iMjAxNi0wNS0yNVQxOTowNTozNy4wMzdaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPmh0dHBzOi8vc3NvLmV4YW1wbGUuY29tOjg0NDMvdWFzL3NhbWwyL25hbWVzL2FjL3NhbWwudGVzdGFwPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNi0wNS0yNVQxODo1NTozNy4wMzdaIj48c2FtbDpBdXRobkNvbnRleHQ-PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6dW5zcGVjaWZpZWQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY-PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ-PC9zYW1sOkFzc2VydGlvbj4K

Token Response

See Access Token Response on page Authorization code grant and web single sign-on - SSO

Browser not supported