Context:
- AD domain, AAD Connect, Office365 tenant
- ADFS deployed, federation between AD and AAD
- SAP GW on premise, with SAML and OAuth configured
- SAP GW does not support integration with AAD (only SAML SSO, and it's required to use it's own OAuth server)
Scope:
I'm trying to build an application in SharePoint online where the authenticated user can:
- fetch data from the SAP gateway (oh behalf of the user)
- fetch data from Microsoft Graph
Design (So far):
- The user access Office 365 and authenticate with ADFS
- With ADAL/MSAL I'm able to acquire an OAUTH token from AAD and get data from Graph (supported by the registration of an Enterprise application in AAD with permission for Graph)
Issue:
- The OAuth token generated by AAD is not validated by SAP OAuth Server onprem if I try to access the onprem SAP API.
What should I do?
Should I get another SAML assertion directly from ADFS to get another OAuth token for SAP OAuth Server to access the onpremise SAP API? If so, how can I get a SAML assertion (to call the SAP OAuth server) from ADFS without passing to adfs user credential (like in this example: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-saml-bearer-assertion) and by using information available in the user session (already authenticated with AAD)?
Is there a way to configure ADFS to accept SAML assertions / JWT tokens originating from AAD?
Should I do something else?
Any idea on how could I support this scenario?
Thank you
