AlexJ.82288 (Customer) asked a question.
Can SAML 2.0 Assertion Flow provide user attributes in access token?
I am working through a situation in which a user must authenticate to an application via SAML 2.0. Once they are in the app we need the app to make a call to an API on their behalf that is secured by one of our Okta auth servers. The issue with this is if they authenticate via SAML to the app, there is no token then to send to the auth server.
It looks like part of the solution to this is to use the SAML 2.0 Assertion Flow. To allow the app to exchange the SAML assertion for a OAuth access token from the auth server. My question is, when this exchange happens can specific user attributes be returned as claims in that access token?
For SAML tokens are XML representations of claims, XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) such as Okta, and a service provider (SP) such as Box. Can use Attribute Statements (Optional) — When you create a new SAML integration, or modify an existing one, you can define custom attribute statements. These statements are inserted into the SAML assertions shared with your app. For more information I have attached our documentation on how to define custom attributes for SAML applications: https://support.okta.com/help/s/article/How-to-define-and-configure-a-custom-SAML-attribute-statement?language=en_US
If you still having issues on your integration please open a support ticket to assist you.
Bogdan, I understand how SAML works but the question specifically is regarding the SAML 2.0 Assertion flow. In which a SAML assertion is exchanged for an OAuth access token and ID token. The question being will the ID token that is returned contain the same user information that was in the SAML assertion which was used in exchange for the token?