Exchange SAML 2 Assertion with OAuth Access Token Using NAM 4.4


1. Introduction / Use cases


Access Manager 4.4 complies with RFC 7521 and RFC 7522 to support SAML 2 bearer profile with authorization grant flow. You can use a SAML 2 assertion to request an access token. Access Manager can validate the assertion and generate the access token, which can be used to access OAuth protected resources.

For more information, see Exchanging SAML 2 Assertions with Access Token

2. How it works

Consider a scenario where a user requires to access an OAuth protected resource and the user is already authenticated using SAML assertion. To access the resource, the user requires to re-authenticate and give consent. To avoid re-authentication and getting consent from user again, the application can use Access Manager to exchange the SAML 2 assertion with access token.

To use assertions for requesting access token, Access Manager must trust the identity provider that issues the assertion by configuring the assertion issuer’s information.

3. Configuration Steps


3.1 Configure SAML 2 Identity Provider


I have already explained how to configure a 3rd party Identity Provider using SAML 2 and integrate with NAM IDP. Please click here to configure an Identity Provider.

For this example, I have configured ForgeRock as an Identity Provider.

3.2  OAuth Settings

    • Go to idp-cluster -> OAuth & OpenID Connect -> Global Settings and check “SAML 2.0 Assertion” checkbox.


    • Go to idp-cluster -> OAuth & OpenID Connect -> Client Applications and create or edit your OAuth client. Make sure you choose “SAML 2.0 Assertion” checkbox.

3.3  Assertion Issuer

    • Go to idp-cluster -> OAuth & OpenID Connect -> Assertion Issuers (tab) and click on sign to import configuration from Existing IDP.


    • Select your Identity Provider, choose the correct User store and Name ID format. Also make sure your Audience Alias is matching with SAML assertion’s audience.

4. Test the solution


4.1  Capture SAML Assertion

There are a couple of ways to capture SAML Assertion. You can use Fiddler, Firefox SAML Tracer or SAML Chrome Panel plugin for Chrome Browser. I have used SAML Chrome Panel to capture the SAML Assertion for this example.

I have accessed ForgeRock IDP initiated URL, logged in using valid credentials and captured SAML assertion. Please make sure you “SAML format” button (if you are using SAML Chrome Panel), this will remove all XML formatting.

4.2  Exchange SAML Assertion with OAuth Access Token

NAM IDP expects the SAML Assertion to be encoded with Base64 URL. That means if you are using a browser to POST the SAML Assertion to NAM Token endpoint, you need to follow below steps:

    • Copy unformatted SAML XML


    • Perform Base64 encode


    • Post the encoded SAML assertion to NAM Token End Point, the browser will take care of URL encoding for you.

But, if you are using CURL utility or any custom code to get OAuth token using SAML assertion, you need to follow below steps:

    • Copy unformatted SAML XML


    • Perform Base64 encode


    • Perform URL encode


    • Post the encoded SAML assertion to NAM Token End Point

4.3  Test using Browser Post

Download the SAMLToken.html, double-click to open in a browser, fill in the form and click on submit. You will get the Bearer token.

Grant Type: urn:ietf:params:oauth:grant-type:saml2-bearer
Client ID: OAuth Client ID which was generated after client OAuth client registration
Scope: OAuth Scope (form example email)
Token End Point: NAM Token endpoint (https://<nam-idp-url>/nidp/oauth/nam/token)
SAML Assertion: Base 64 bit encoded SAML Assertion




4.4  Test using CURL utilities

Replace the highlighted fields with your own values and submit it using the CURL utility.

curl -v "https://<IDP URL>/nidp/oauth/nam/token" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&client_id=<OAuth Client-ID>&assertion=<Base64 and URL encoded SAML Assertion>&scope=<Scope>" -k

Bearer Token response:



How To-Best Practice
Comment List