New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE

Exchanging Oauth2 Access Token with SAML2 Assertion

Exchanging Oauth2 Access Token with SAML2 Assertion




NetIQ Access Manager supports the SAML2 bearer grant. Access Manager supports only the authorization grant flow for assertion and the assertion is used for authenticating the user.

You can use SAML2 assertions to request an access token. Access Manager validates the assertion and generates the access token for accessing OAuth protected resources.

But the other way, when a client/user possess an OAuth2 access token and there is a need for SAML2 assertion, this solution explains how to do that with existing NetIQ Access Manager 4.x.




Authenticate the user using NetIQ Access Manager issued OAuth2 access token as part of SAML2 federation without prompting for user credentials.


Why is this useful?


This solution will help to federate with Service Provider when Oauth2 client has access token.




NetIQ Access Manager should be enabled with mobile access or create new class, method and contract in order to have Oauth2 contract.


Configuration steps:


    1. Login to Admin console.


    1. Enable Mobile access from dashboard.
    2. If enable mobile access is not an option, do following steps:

        1. Create class with the “”

        1. Create method with class created at previous step

        1. Create Contract with method created at above step

        1. Apply settings

      1. Update IDP


    1. Complete SAML2 federation with service provider. (example service provider EntityID used below is


    1. Configure Oauth2 client get access token from NetIQ Access Manager.


    1. Prepare HTTP request as below:

      Send access token as parameter part of above url or send as Authorization header.

      Access token as part of Authorization Header:

      GET /nidp/app?id=MobileToken&target= HTTP/1.1
      Content-Type: text/html
      Authorization: <>

      Access Token as parameter:

      GET /nidp/app?id=MobileToken&target=<> HTTP/1.1
      Content-Type: text/html


  1. Federation will be complete with few redirections.
  2. If the SAML2 assertion capture is a goal then client has to look for form post where assertion is posted to service provider read from html from parsing html.

Please share your comments!!

Labels (2)


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.


customer of mine is interested in your solution but he can't find this class ( and neither I )


We choose "Other" and then specified the name of the class but get an error:

We receive error from Catalina.out:

 Failed to load class

Could you please help me?



try using

Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2020-01-31 11:11
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.