Support for OAuth 2.0 SAML Bearer Assertion Flow
I need a way to authenticate as a user without requiring the user to authenticate to Azure AD and without requiring their password.
Salesforce provides for this as part of their support for OAuth 2.0 SAML Bearer Assertion Flow, documented at https://help.salesforce.com/articleView?id=remoteaccessoauthSAMLbearerflow.htm&language=en&type=0 and https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23.
I'm posting information about the Salesforce solution (above) as an example for how this feature might be supported in Azure AD. In summary, authentication is achieved as part of a trust established between the identity provider and the relying party, using a certificate. A signed SAML assertion is submitted to the identity provider in exchange for an access token.
This feature is needed for data migration projects which use the graph API to migrate user content into Microsoft Teams.

Reposting so that folks get a notification – from Paul:
Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.
We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.
10 comments
-
Anonymous commented
When will this be supported in Azure AD B2C?
-
Keith Voels commented
Creating SAML Assertions is supported in Microsoft Identity Platform v1 but not v2. I do not understand with v2 why it when back to 'use ADFS'. We are a very large enterprise that under Microsoft's direction no longer have AD or ADFS - just Azure AD.
Here is the v1 SAML Assertion endpoint documentation; we need this to continue to be supported!
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flowOur application is calling an Azure AD registered and protected API. That Azure API is then calling an SAP registered and protected API. SAP is federated to Azure AD. We do not want the application to be aware of SAP or call SAP directly.
So we need to do a token exchange within the Azure API: exchange the Azure bearer token to a SAP bearer token while retaining the identity. Since two service providers (Azure and SAP) are involved we cannot exchange OAuth2 tokens we need to exchange SAML Tokens – a SAML assertion. This in an API so it cannot be a browser functionality.
The v1 endpoint support this very well. You can send the Azure API’s Access Token to ‘oauth/token’ and get a SAML Assertion back. We then send the SAML Assertion to SAP and get the access token required to call the SAP API (see link below). We need a ‘grant_type:jwt-bearer’ to ‘token-type:saml2’ in V2 like exists today in V1.
https://wiki.scn.sap.com/wiki/display/Security/Using+OAuth+2.0+from+a+Web+Application+with+SAML+Bearer+Assertion+Flow
I am not alone please see the comments: https://answers.sap.com/questions/12852835/sso-using-azure-ad-and-sap-netweaver.html -
Umesh commented
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-saml-bearer-assertion - This would help probably. I have shared a blog earlier which now published in azure docs. Please have a look
-
Pappinisseri P,Nithish commented
Any updates on OAuth SAML Bearer Asssertion flow?
-
Umesh commented
https://o365treasurehunt.blogspot.com/ - i have done that recently and documented that. hope that helps!
-
Jørn Skogsrud commented
Hi.
I would also like to know if/when this becomes available. We're currently struggling to set this up, so any help would be greatly appreciated. -
Aditya Tagat commented
Hello Azure AD Team,
Has the support for OAuth SAML Bearer Assertion flow above been documented? I am looking to use this for single sign on to an Azure Web App from the SAP Cloud Platform.
-
Jarle Skogheim commented
Any updates on this?
-
Paul Garner (MSFT) commented
Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won't have to enter their credentials.
We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I'll post here again when documentation for that is ready.
-
Wouter Hemeryck commented
We are looking into ways to authenticatie from a web application to services that use SAML2 and OAuth bearer tokens. With this method our web application could use SAML and server side we can request OAuth tokens to make calls to OAuth protected services without resorting to service credentials.