Convert Jwt token or claims principal to SAML token

Question

Using Azure AD, I have a .NET Core Web API Controller that has authenticated the user using OAuth2 and I have a JWT Bearer token and a Claims Principal.

Is there any way of using either of these to generate a SAML token so I can call another API, that only supports SAML, on behalf of this user?

score 0 · Accepted Answer · answered Jan 09 '19 at 05:29

0

AFAIK , currently that is not possible in a on-behalf-of scenario . Similar discussions here and here are for your reference .

answered Jan 09 '19 at 05:29

Nan Yu

26,101
9
68
148

Given this, am I right to think that the only solution is for the user to authenticate twice, so as to acquire each token? – Mark Dixon Tech Jan 09 '19 at 08:51
In your scenario , i'm afraid yes. – Nan Yu Jan 09 '19 at 09:26

score 0 · Answer 2 · answered Jun 10 '20 at 09:18

Yes, this is possible and supported scenario by Azure AD v.1 endpoint.

This is supported as non-standard extension of the On-Behalf-Of authorization flow in OAuth2 framework. More details on the concrete implementation by Azure AD v.1 endpoint is documented here.

Of course, your OIDC application must be granted at least "user_impersonation" permission on the SAML integrated app/api in order the On-Behalf-Of flow to work.

This has been supported since almost the beginning in v.1 endpoints.

Convert Jwt token or claims principal to SAML token

2 Answers2