Exchanging Oauth2 Access Token with SAML2 Assertion





NetIQ Access Manager supports the SAML2 bearer grant. Access Manager supports only the authorization grant flow for assertion and the assertion is used for authenticating the user.

You can use SAML2 assertions to request an access token. Access Manager validates the assertion and generates the access token for accessing OAuth protected resources.

But the other way, when a client/user possess an OAuth2 access token and there is a need for SAML2 assertion, this solution explains how to do that with existing NetIQ Access Manager 4.x.




Authenticate the user using NetIQ Access Manager issued OAuth2 access token as part of SAML2 federation without prompting for user credentials.


Why is this useful?


This solution will help to federate with Service Provider when Oauth2 client has access token.




NetIQ Access Manager should be enabled with mobile access or create new class, method and contract in order to have Oauth2 contract.


Configuration steps:


    1. Login to Admin console.


    1. Enable Mobile access from dashboard.
    2. If enable mobile access is not an option, do following steps:

        1. Create class with the “com.novell.nam.nidp.mobile.MobileTokenClass”

        1. Create method with class created at previous step

        1. Create Contract with method created at above step

        1. Apply settings

      1. Update IDP


    1. Complete SAML2 federation with service provider. (example service provider EntityID used below is https://idp.siteb.novell.com:8443/nidp/saml2/metadata)


    1. Configure Oauth2 client get access token from NetIQ Access Manager.


    1. Prepare HTTP request as below:

      https://login.idp.com/nidp/app?id=MobileToken&target= https://login.idp.com/nidp/saml2/idpsend?PID=https://idp.siteb.novell.com:8443/nidp/saml2/metadata

      Send access token as parameter part of above url or send as Authorization header.

      Access token as part of Authorization Header:

      GET /nidp/app?id=MobileToken&target= https://login.idp.com/nidp/saml2/idpsend?PID=https://idp.siteb.novell.com:8443/nidp/saml2/metadata HTTP/1.1
      Host: login.idp.com
      Content-Type: text/html
      Authorization: <>

      Access Token as parameter:

      GET /nidp/app?id=MobileToken&target= https://login.idp.com/nidp/saml2/idpsend?PID=https://idp.siteb.novell.com:8443/nidp/saml2/metadata&access_token=<> HTTP/1.1
      Host: login.idp.com
      Content-Type: text/html


  1. Federation will be complete with few redirections.
  2. If the SAML2 assertion capture is a goal then client has to look for form post where assertion is posted to service provider read from html from parsing html.

Please share your comments!!


How To-Best Practice
Support Tip
Comment List