Access Manager 4.4 complies with RFC 7521 and RFC 7522 to support SAML 2 bearer profile with authorization grant flow. You can use a SAML 2 assertion to request an access token. Access Manager can validate the assertion and generate the access token, which can be used to access OAuth protected resources.
For more information, see Exchanging SAML 2 Assertions with Access Token
Consider a scenario where a user requires to access an OAuth protected resource and the user is already authenticated using SAML assertion. To access the resource, the user requires to re-authenticate and give consent. To avoid re-authentication and getting consent from user again, the application can use Access Manager to exchange the SAML 2 assertion with access token.
To use assertions for requesting access token, Access Manager must trust the identity provider that issues the assertion by configuring the assertion issuer’s information.
I have already explained how to configure a 3rd party Identity Provider using SAML 2 and integrate with NAM IDP. Please click here to configure an Identity Provider.
For this example, I have configured ForgeRock as an Identity Provider.
There are a couple of ways to capture SAML Assertion. You can use Fiddler, Firefox SAML Tracer or SAML Chrome Panel plugin for Chrome Browser. I have used SAML Chrome Panel to capture the SAML Assertion for this example.
I have accessed ForgeRock IDP initiated URL, logged in using valid credentials and captured SAML assertion. Please make sure you “SAML format” button (if you are using SAML Chrome Panel), this will remove all XML formatting.
NAM IDP expects the SAML Assertion to be encoded with Base64 URL. That means if you are using a browser to POST the SAML Assertion to NAM Token endpoint, you need to follow below steps:
But, if you are using CURL utility or any custom code to get OAuth token using SAML assertion, you need to follow below steps:
Download the SAMLToken.html, double-click to open in a browser, fill in the form and click on submit. You will get the Bearer token.
Grant Type: urn:ietf:params:oauth:grant-type:saml2-bearer
Client ID: OAuth Client ID which was generated after client OAuth client registration
Scope: OAuth Scope (form example email)
Token End Point: NAM Token endpoint (https://<nam-idp-url>/nidp/oauth/nam/token)
SAML Assertion: Base 64 bit encoded SAML Assertion
Replace the highlighted fields with your own values and submit it using the CURL utility.
curl -v "https://<IDP URL>/nidp/oauth/nam/token" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&client_id=<OAuth Client-ID>&assertion=<Base64 and URL encoded SAML Assertion>&scope=<Scope>" -k
Bearer Token response: