773 votesplanned · 31 comments · API Management » API management experience · Flag idea as inappropriate… · Admin →
270 votesstarted · 18 comments · API Management » API management experience · Flag idea as inappropriate… · Admin →
Reposting so that folks get a notification – from Paul:
Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.
We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.
An error occurred while saving the commentKeith Voels commented
Creating SAML Assertions is supported in Microsoft Identity Platform v1 but not v2. I do not understand with v2 why it when back to 'use ADFS'. We are a very large enterprise that under Microsoft's direction no longer have AD or ADFS - just Azure AD.
Here is the v1 SAML Assertion endpoint documentation; we need this to continue to be supported!
Our application is calling an Azure AD registered and protected API. That Azure API is then calling an SAP registered and protected API. SAP is federated to Azure AD. We do not want the application to be aware of SAP or call SAP directly.
So we need to do a token exchange within the Azure API: exchange the Azure bearer token to a SAP bearer token while retaining the identity. Since two service providers (Azure and SAP) are involved we cannot exchange OAuth2 tokens we need to exchange SAML Tokens – a SAML assertion. This in an API so it cannot be a browser functionality.
The v1 endpoint support this very well. You can send the Azure API’s Access Token to ‘oauth/token’ and get a SAML Assertion back. We then send the SAML Assertion to SAP and get the access token required to call the SAP API (see link below). We need a ‘grant_type:jwt-bearer’ to ‘token-type:saml2’ in V2 like exists today in V1.
I am not alone please see the comments: https://answers.sap.com/questions/12852835/sso-using-azure-ad-and-sap-netweaver.html
Thanks for the feedback! We will look into this and share an update when we have more information.