Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.

Exchanging Oauth2 Access Token with SAML2 Assertion

Exchanging Oauth2 Access Token with SAML2 Assertion


NetIQ Access Manager supports the SAML2 bearer grant. Access Manager supports only the authorization grant flow for assertion and the assertion is used for authenticating the user.

You can use SAML2 assertions to request an access token. Access Manager validates the assertion and generates the access token for accessing OAuth protected resources.

But the other way, when a client/user possess an OAuth2 access token and there is a need for SAML2 assertion, this solution explains how to do that with existing NetIQ Access Manager 4.x.


Authenticate the user using NetIQ Access Manager issued OAuth2 access token as part of SAML2 federation without prompting for user credentials.

Why is this useful?

This solution will help to federate with Service Provider when Oauth2 client has access token.


NetIQ Access Manager should be enabled with mobile access or create new class, method and contract in order to have Oauth2 contract.

Configuration steps:

  1. Login to Admin console.

  2. Enable Mobile access from dashboard.
  3. If enable mobile access is not an option, do following steps:

    1. Create class with the “com.novell.nam.nidp.mobile.MobileTokenClass”

    2. Create method with class created at previous step

    3. Create Contract with method created at above step

    4. Apply settings

    5. Update IDP

  4. Complete SAML2 federation with service provider. (example service provider EntityID used below is https://idp.siteb.novell.com:8443/nidp/saml2/metadata)

  5. Configure Oauth2 client get access token from NetIQ Access Manager.

  6. Prepare HTTP request as below:

    https://login.idp.com/nidp/app?id=MobileToken&target= https%3A%2F%2Flogin.idp.com%2Fnidp%2Fsaml2%2Fidpsend%3FPID%3Dhttps%3A%2F%2Fidp.siteb.novell.com%3A8443%2Fnidp%2Fsaml2%2Fmetadata

    Send access token as parameter part of above url or send as Authorization header.

    Access token as part of Authorization Header:

    GET /nidp/app?id=MobileToken&target= https%3A%2F%2Flogin.idp.com%2Fnidp%2Fsaml2%2Fidpsend%3FPID%3Dhttps%3A%2F%2Fidp.siteb.novell.com%3A8443%2Fnidp%2Fsaml2%2Fmetadata HTTP/1.1
    Host: login.idp.com
    Content-Type: text/html
    Authorization: <>

    Access Token as parameter:

    GET /nidp/app?id=MobileToken&target= https%3A%2F%2Flogin.idp.com%2Fnidp%2Fsaml2%2Fidpsend%3FPID%3Dhttps%3A%2F%2Fidp.siteb.novell.com%3A8443%2Fnidp%2Fsaml2%2Fmetadata&access_token=<> HTTP/1.1
    Host: login.idp.com
    Content-Type: text/html

  7. Federation will be complete with few redirections.
  8. If the SAML2 assertion capture is a goal then client has to look for form post where assertion is posted to service provider read from html from parsing html.

Please share your comments!!


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2018-07-18 21:45
Updated by:
Micro Focus Contributor
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.