SAML and OAuth2.0 are industry-wide accepted standards for Single Sign-On(SSO) solutions. It is straightforward for our application to support these both standards independently. But, things get tricky, if your authentication server is OAuth2.0 based and you have to support SAML for Single Sign-On. Most of the IDP (Identity Providers) have SAML capabilities and hence, the request for SAML integration with you authentication service is pretty common. There are not many blogs available which cover such scenario.
Note: This post expects that readers are fully aware of SAML and OAuth2.0 or OIDC protocols.
RelayState and authorization_code grant type will come to our rescue in such situations. We have to enable authorization_code Grant Type at the Service Provider end for the client requesting SSO. This will enable us to retrieve the OAuth tokens in exchange of the authCode (otherwise known as Authorization Code).
The client has to expose a call back URL, which expects authCode as the query parameter(Similar to the usage of authorization_code grant type in OAuth2.o protocol). This callback URL has to be appended as a RelateState query parameter for both SP and IDP initiated SAML Sign-On.
Once the SP receives the SAML Response and identity of the user is established, the SP should generate an authCode and append it to the callback URL received as the RelayState query parameter and redirect to this URL.
The client should use this authCode and make a POST request to exchange for a token. The grant_type for this request has to be authorization_code.
Fig(i): The above figure demonstrates the sequence for SAML support to an OAuth server
- The client APP should expose a callback URL and Client APP should expect the SP redirects to this URL with authCode appended as a query param on successful establishment of the identity of the user through SAML.
- Client App Should extract this authCode and get OAuth tokens in exchange for the auth code. Refer below on authorization code grant type in OAuth 2.0.
- Enable authorization_code grant type for the client credentials shared with the client app.
- On the establishment of the identity of a user through SAML, generate an authCode, append the generated authCode and redirect to the URL which you receive as a RelayState parameter.