Try WSO2 Cloud for Free
Sign in
Skip to end of metadata
Go to start of metadata

SAML 2.0 is an XML-based protocol. It uses security tokens containing assertions to pass information about an end-user between a SAML authority and a SAML consumer. A SAML authority is an identity provider (IDP) and a SAML consumer is a service provider (SP).

Enterprise applications that have SAML2 based SSO infrastructures sometimes need to consume OAuth-protected resources through APIs. However, these apps prefer to use the existing trust relationship with the IDP, even if the OAuth authorization server is entirely different from the IDP. The API Cloud leverages this trust relationship by exchanging the SAML2.0 token to an OAuth token with the authorization server. It acts as the OAuth authorization server. 

The diagram below depicts this scenario. It uses WSO2 Identity Server (version 4.5.0 onwards) as an example for the IDP. You can use any IDP instead, according to your preference.

The steps of the above diagram are explained below:

Step [1]: User initiates a login call to an enterprise application

Step [2]:

  • As the application is a SAML SP, it redirects the user to the SAML2.0 IDP to log in. 
  • The user provides credentials at the IDP and is redirected back to the SP with a SAML2.0 token signed by the IDP. 
  • The SP verifies the token and logs the user to the application. 
  • The SAML 2.0 token is stored in the user's session by the SP.  

Step [3]:

  • The enterprise application (SP) wants to access an OAuth2 protected API resource through WSO2 API Cloud.
  • The application makes a request to the API Cloud to exchange the SAML2 bearer token for an OAuth2.0 access token.
  • The API Cloud validates the assertion and returns the access token.

Step [4]: User does API invocations through the API Cloud by setting it as an Authorization header with the returned OAuth2 access token.

Let's configure the token exchange.

Configuring the token exchange

Before you begin, make sure you have the following:

  • A valid user account in the API Store.
  • An Identity Provider which is capable of issuing SAML tokens.
  • A valid consumer key and consumer secret. Initially, these keys must be generated through the API Store by clicking the Generate link on My Subscriptions page.

To configure the Identity Provider, contact WSO2 API Cloud Support via a support request or chat.

Provide the following values: 

  • Identity Provider Public Certificate: The certificate used to sign the SAML assertion. Export the public certificate of WSO2 IS and import it here.  

  • Alias: Give the name of the alias if the Identity Provider identifies this token endpoint by an alias. E.g.,
  • Identity Provider Entity Id: The SAML2 issuer name specified when generating the assertion token, which contains the unique identifier of the IDP.

  • SSO URL: Enter the IDP's SAML2 Web SSO URL value. E.g., https://localhost:9444/samlsso/ if you have offset the default port, which is 9443.

Invoking the Token API to generate tokens

Follow the steps below to invoke the token API to generate access tokens from SAML2 assertions.

  1. Combine the consumer key and consumer secret keys as consumer-key:consumer-secret. Encode the combined string using base64 ( Here's an example consumer key and secret combination: wU62DjlyDBnq87GlBwplfqvmAbAa:ksdSdoefDDP7wpaElfqvmjDue.
  2. Access the token API using a REST client such as the WSO2 REST Client or Curl. The parameters are explained below:
    • Assuming that both the client and the API Gateway run on the same server, the Token API URL is

    • payload - "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<SAML2_Encoded_Assertion_Token> &scope=PRODUCTION". Replace the <SAML2_Encoded_Assertion_Token> value as appropriate.

    • headers - Authorization :Basic <base64 encoded consumer-key:consumer-secret>, Content-Type: application/x-www-form-urlencoded. Replace the <base64 encoded consumer-key:consumer-secret> as appropriate.

    For example, the following Curl command is used to access the Token API. It generates an access token and a refresh token. You can use the refresh token at the time a token is renewed

    curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>, Content-Type: application/x-www-form-urlencoded"<your_tenant_domain>
  • No labels