rahimr.49354 (Customer) asked a question.
We are trying to implement the SAML 2.0 Assertion grant (https://developer.okta.com/docs/guides/implement-grant-type/saml2assert/main/) in our tool. In that, we are using both Identity Provider(IdP) and authorization servers in Okta. When we try to call the token endpoint request using the below sample request body
curl --location --request POST 'https://${yourOktaDomain}/oauth2/default/v1/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic MG9hb....' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer' \
--data-urlencode 'scope=openid offline_access' \
--data-urlencode 'assertion=<Base64-encoded assertion>'
we are getting below error,
{
"error": "invalid_grant",
"error_description": "'assertion' is not a valid SAML 2.0 Assertion."
}
Kindly help us to resolve this issue.
Thanks
Barani
Hello @rahimr.49354 (Customer)
Thanks for posting.
It might be beneficial to open a case with support as some of the assertion errors provide more detailed messages that we can check on the back end. Some common issues can be:
There is a sample setup that can be found at https://github.com/emanor-okta/saml-assertion-flow-with-okta
This sample uses an Okta SAML Service App as the external SAML IdP, but running the sample will show what the assertion being sent to Okta looks like and the setup can be viewed.
Let us know if this helps you.
Daniela Chavarria.
Okta Inc.