Consume a private API using Azure AD and SAML 2.0

1
votes

I have a client API app that consumes a private API from a web application, I use Bearer authorization to authenticate. I get the Bearer using the following call: grant_type=password&username={Username}&password={Password}&client_id={clientID}&tenant_id={TenantID}

Then I use the returned Bearer to authenticate to the APIs.

All has been working fine until we added SSO authentication to the application using Azure AD with SAML 2.0

I checked Azure documentation and found the following: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

I'm not sure from where to start,Can you please give me some guidance on the steps to add to my current application in order for it to support the new SSO authentication?

Thanks!

1
c#apiazure-active-directorysaml-2.0
I think there is a confusion between oAuth & SAML, can you share more details what are you trying to achieve?Immanuel
Why do you want to use SAML? Just use OpenID connect to Azure AD and your application will work pretty much as is.rbrayb

1 Answers

1
votes

It sounds like you have SAML already implemented in your AAD Application and wish to utilize a different form of authentication outside of ROPC/OIDC/Auth Code.

It is possible to get an access token with a SAML token using the SAML Assertion Bearer flow. Unfortunately there's no official documentation on how to do this, but it is supported per the feedback here : https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/19728688-support-for-oauth-2-0-saml-bearer-assertion-flow

By using the SAML Assertion Bearer flow you can use SSO Auth to get a SAML2.0 token and then use the SAML token to get a new access token using the SAML bearer assertion flow.

The RFC for this flow can be found here: https://tools.ietf.org/html/rfc7522

As there is no official Microsoft documentation on how to do this it may not be the best path to go down currently. If you already have it working with ROPC flow, you may wish to wait for proper documentation to be provided for the SAML Assertion Bearer flow. Or utilize one of the other flows that Microsoft has official documentation on. These flows can be found here : https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-scenarios

If there's any questions please comment and I'll try to get back to you as soon as possible.