Support for OAuth 2.0 SAML Bearer Assertion Flow
I need a way to authenticate as a user without requiring the user to authenticate to Azure AD and without requiring their password.
Salesforce provides for this as part of their support for OAuth 2.0 SAML Bearer Assertion Flow, documented at https://help.salesforce.com/articleView?id=remoteaccess_oauth_SAML_bearer_flow.htm&language=en&type=0 and https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23.
I'm posting information about the Salesforce solution (above) as an example for how this feature might be supported in Azure AD. In summary, authentication is achieved as part of a trust established between the identity provider and the relying party, using a certificate. A signed SAML assertion is submitted to the identity provider in exchange for an access token.
This feature is needed for data migration projects which use the graph API to migrate user content into Microsoft Teams.
ericmbowden
shared this idea
Reposting so that folks get a notification – from Paul:
Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.
We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.
8 comments
-
Umesh
commented
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-saml-bearer-assertion - This would help probably. I have shared a blog earlier which now published in azure docs. Please have a look
-
Pappinisseri P,Nithish
commented
Any updates on OAuth SAML Bearer Asssertion flow?
-
Umesh
commented
https://o365treasurehunt.blogspot.com/ - i have done that recently and documented that. hope that helps!
-
Jørn Skogsrud
commented
Hi.
I would also like to know if/when this becomes available. We're currently struggling to set this up, so any help would be greatly appreciated. -
Aditya Tagat
commented
Hello Azure AD Team,
Has the support for OAuth SAML Bearer Assertion flow above been documented? I am looking to use this for single sign on to an Azure Web App from the SAP Cloud Platform.
-
Jarle Skogheim
commented
Any updates on this?
-
Paul Garner (MSFT)
commented
Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won't have to enter their credentials.
We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I'll post here again when documentation for that is ready.
-
Wouter Hemeryck
commented
We are looking into ways to authenticatie from a web application to services that use SAML2 and OAuth bearer tokens. With this method our web application could use SAML and server side we can request OAuth tokens to make calls to OAuth protected services without resorting to service credentials.