Login/Register
Calling the Graph api after SAML2.0 auth. How do I get the Auth token required
Asked Answered
azureoauthazure-active-directorymicrosoft-graph-apisaml-2.0
A

2

2

Our web aap is authenticating with the Azure AD via SAML2.0 similar to this.

In return we get SAML assertion(SAML token).

But when the user who logs in have more then 150+ groups the response doesn't contain the group information(so that token size doesn’t exceed HTTP header size limits. More info on this)

But what it return is a Graph Api to be hit to get the group information something like https://graph.windows.net/{tenant id}/users/{user id}/getMemberObject.

By going through this

I understand that I need to attach a Auth bearer token with the http request to hit the graph api successfully. My problem is how do I get the Auth bearer token? How can I use the SAML token to get the Auth bearer token?

Other useful link - link1 link2

Alger answered 26/3, 2018 at 10:10 Comment(1)
one way to solve this problem is to assign only the desired list of groups to your Azure ad application, those will be provided in the token after SSO login. By default, all user groups are provided, which can lead to a huge token and there is this limitation of 150 groups. If you configure your Azure app registration to use only a limited list of groups, it might solve your problem without the need to use a graph API.Cage
S
1

I've only used the non SAML graph API using the ADAL libraries but from the docs it appears the NameID seems to be the basis for requesting an access token for the Graph API:

<Subject>
  <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">m_H3naDei2LNxUmEcWd0BZlNi_jVET1pMLR6iQSuYmo</NameID>
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>

From this post,

"Here the Client gets a SAML bearer assertion from the SAML Identity Provider then requests an access token from the Authorisation Server using the SAML bearer assertion as proof of identity"

and this article states the entire Assertion is used to get the access token, where you:

encode the whole assertion by using base64url encoding before adding it as part of the POST request

Symphonia answered 26/3, 2018 at 11:51 Comment(4)
I also noticed the NameId part , but you can change the name id format <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected] </NameID> Wondering would a access toke be as simple as my email id?Alger
Thanks for digging in, really appreciate that. If I get you correct, since I have SAML assertion, I need to exchange that with the auth token by hitting the oauth2/token api of microsoft. This left us with the questions, what's the exact api and parameters and whether it supports SAML assertions this gives more information about the api and parameters but doesn't confirm whether it accepts SAML assertions or not. Any pointers on this?Alger
The link you have is for OBOF, for two APIs talking to each other. What you asked for was how to access the graph API on behalf of the user. For that you just need an access token. The second article in the answer says to POST the base 64 encoded SAML Assertion to the oauth2/token (it actually says oauth/token but I checked my openid version of the code and the latest version uses oauth2/token). If the other end supports SAML then it will return the access token and you use that to query the graph API to get the user's groups for exampleSymphonia
hi @AbhishekAgarwal, Have you resolved this issue? I am also facing this. The saml response contains "getMemberObject" api. I don't know how to call it by using saml token.Discrepancy
M
0

It appears that exchanging a SAML token for a Graph access token is only supported for AD FS, not Azure AD. As per:

This scenario works only when AD FS is the federated identity provider that issued the original SAMLv1 token. You cannot exchange a SAMLv2 token issued by Azure AD for a Microsoft Graph access token.

Source: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-saml-bearer-assertion.

In general, you have to add the OIDC/OAuth stack to your app. As I understand it, this is in addition to your existing SAML authentication implementation. See: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-token-exchange-saml-oauth

Marmara answered 27/10, 2022 at 16:14 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.