Exchange SAML 2 Assertion with OAuth Access Token Using NAM 4.4

Exchange SAML 2 Assertion with OAuth Access Token Using NAM 4.4

1. Introduction / Use cases


 

Access Manager 4.4 complies with RFC 7521 and RFC 7522 to support SAML 2 bearer profile with authorization grant flow. You can use a SAML 2 assertion to request an access token. Access Manager can validate the assertion and generate the access token, which can be used to access OAuth protected resources.

For more information, see Exchanging SAML 2 Assertions with Access Token

2. How it works


 
Consider a scenario where a user requires to access an OAuth protected resource and the user is already authenticated using SAML assertion. To access the resource, the user requires to re-authenticate and give consent. To avoid re-authentication and getting consent from user again, the application can use Access Manager to exchange the SAML 2 assertion with access token.

To use assertions for requesting access token, Access Manager must trust the identity provider that issues the assertion by configuring the assertion issuer’s information.



3. Configuration Steps


 

3.1 Configure SAML 2 Identity Provider


 

I have already explained how to configure a 3rd party Identity Provider using SAML 2 and integrate with NAM IDP. Please click here to configure an Identity Provider.

For this example, I have configured ForgeRock as an Identity Provider.

3.2  OAuth Settings




    • Go to idp-cluster -> OAuth & OpenID Connect -> Global Settings and check “SAML 2.0 Assertion” checkbox.



 

    • Go to idp-cluster -> OAuth & OpenID Connect -> Client Applications and create or edit your OAuth client. Make sure you choose “SAML 2.0 Assertion” checkbox.




3.3  Assertion Issuer



    • Go to idp-cluster -> OAuth & OpenID Connect -> Assertion Issuers (tab) and click on + sign to import configuration from Existing IDP.



 

    • Select your Identity Provider, choose the correct User store and Name ID format. Also make sure your Audience Alias is matching with SAML assertion’s audience.




4. Test the solution


 

4.1  Capture SAML Assertion


 
There are a couple of ways to capture SAML Assertion. You can use Fiddler, Firefox SAML Tracer or SAML Chrome Panel plugin for Chrome Browser. I have used SAML Chrome Panel to capture the SAML Assertion for this example.

I have accessed ForgeRock IDP initiated URL, logged in using valid credentials and captured SAML assertion. Please make sure you “SAML format” button (if you are using SAML Chrome Panel), this will remove all XML formatting.



4.2  Exchange SAML Assertion with OAuth Access Token


 
NAM IDP expects the SAML Assertion to be encoded with Base64 URL. That means if you are using a browser to POST the SAML Assertion to NAM Token endpoint, you need to follow below steps:

    • Copy unformatted SAML XML

 

    • Perform Base64 encode

 

    • Post the encoded SAML assertion to NAM Token End Point, the browser will take care of URL encoding for you.



But, if you are using CURL utility or any custom code to get OAuth token using SAML assertion, you need to follow below steps:

    • Copy unformatted SAML XML

 

    • Perform Base64 encode

 

    • Perform URL encode

 

    • Post the encoded SAML assertion to NAM Token End Point



4.3  Test using Browser Post


 
Download the SAMLToken.html, double-click to open in a browser, fill in the form and click on submit. You will get the Bearer token.

Grant Type: urn:ietf:params:oauth:grant-type:saml2-bearer
Client ID: OAuth Client ID which was generated after client OAuth client registration
Scope: OAuth Scope (form example email)
Token End Point: NAM Token endpoint (https://<nam-idp-url>/nidp/oauth/nam/token)
SAML Assertion: Base 64 bit encoded SAML Assertion

Request:



 

Response:



4.4  Test using CURL utilities


 
Replace the highlighted fields with your own values and submit it using the CURL utility.

curl -v "https://<IDP URL>/nidp/oauth/nam/token" -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&client_id=<OAuth Client-ID>&assertion=<Base64 and URL encoded SAML Assertion>&scope=<Scope>" -k

Bearer Token response:




 

Labels (2)
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2020-01-31 11:50
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.