How can we improve Azure Active Directory?

← Azure Active Directory

Support for OAuth 2.0 SAML Bearer Assertion Flow

I need a way to authenticate as a user without requiring the user to authenticate to Azure AD and without requiring their password.

Salesforce provides for this as part of their support for OAuth 2.0 SAML Bearer Assertion Flow, documented at https://help.salesforce.com/articleView?id=remoteaccessoauthSAMLbearerflow.htm&language=en&type=0 and https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23.

I'm posting information about the Salesforce solution (above) as an example for how this feature might be supported in Azure AD. In summary, authentication is achieved as part of a trust established between the identity provider and the relying party, using a certificate. A signed SAML assertion is submitted to the identity provider in exchange for an access token.

This feature is needed for data migration projects which use the graph API to migrate user content into Microsoft Teams.

38 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

ericmbowden shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  AdminAzure AD Team (Product Manager, Microsoft Azure) responded  · 

Reposting so that folks get a notification – from Paul:

Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.

We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.

10 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Keith Voels commented  ·   ·  Flag as inappropriate

    Creating SAML Assertions is supported in Microsoft Identity Platform v1 but not v2. I do not understand with v2 why it when back to 'use ADFS'. We are a very large enterprise that under Microsoft's direction no longer have AD or ADFS - just Azure AD.

    Here is the v1 SAML Assertion endpoint documentation; we need this to continue to be supported!
    https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow

    Our application is calling an Azure AD registered and protected API. That Azure API is then calling an SAP registered and protected API. SAP is federated to Azure AD. We do not want the application to be aware of SAP or call SAP directly.
    So we need to do a token exchange within the Azure API: exchange the Azure bearer token to a SAP bearer token while retaining the identity. Since two service providers (Azure and SAP) are involved we cannot exchange OAuth2 tokens we need to exchange SAML Tokens – a SAML assertion. This in an API so it cannot be a browser functionality.
    The v1 endpoint support this very well. You can send the Azure API’s Access Token to ‘oauth/token’ and get a SAML Assertion back. We then send the SAML Assertion to SAP and get the access token required to call the SAP API (see link below). We need a ‘grant_type:jwt-bearer’ to ‘token-type:saml2’ in V2 like exists today in V1.
    https://wiki.scn.sap.com/wiki/display/Security/Using+OAuth+2.0+from+a+Web+Application+with+SAML+Bearer+Assertion+Flow
    I am not alone please see the comments: https://answers.sap.com/questions/12852835/sso-using-azure-ad-and-sap-netweaver.html

  • Jørn Skogsrud commented  ·   ·  Flag as inappropriate

    Hi.
    I would also like to know if/when this becomes available. We're currently struggling to set this up, so any help would be greatly appreciated.

  • Aditya Tagat commented  ·   ·  Flag as inappropriate

    Hello Azure AD Team,

    Has the support for OAuth SAML Bearer Assertion flow above been documented? I am looking to use this for single sign on to an Azure Web App from the SAP Cloud Platform.

  • Paul Garner (MSFT) commented  ·   ·  Flag as inappropriate

    Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won't have to enter their credentials.

    We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I'll post here again when documentation for that is ready.

  • Wouter Hemeryck commented  ·   ·  Flag as inappropriate

    We are looking into ways to authenticatie from a web application to services that use SAML2 and OAuth bearer tokens. With this method our web application could use SAML and server side we can request OAuth tokens to make calls to OAuth protected services without resorting to service credentials.

Azure Active Directory: Authentication

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice