We need to define an OAuth 2.0 interface that will grant access to a client application on the basis of a SAML assertion.
The Layer 7 OAuth Toolkit supports all the core grant types in the OAuth 2.0 specification, as well as the SAML Bearer extension grant type. The SAML Bearer extension allows validation of SAML tokens as a key part of granting an OAuth access token.
Many traditional SOA implementations rely on the SAML (Security Assertion Markup Language) specification for defining access control permissions across enterprise boundaries, without including personal credential information such as a user’s password. SAML relies on an inherent trust relationship between the SAML token issuer and an authorization server consuming that token. Layer 7 has extended the traditional SAML trust model to OAuth interactions.
The Layer 7 OAuth Toolkit provides several constructs specifically for dealing with the SAML Bearer grant type, including client app, resource server and authorization server implementations. In the video tutorial at the bottom of this page, we view the various grant types and show how to select those that apply to a particular API. We also explore the SAML Bearer grant type implementation and review a SAML identity provider endpoint for generating assertions.
In our test application, the user is redirected to a SAML-issuing endpoint on our Gateway. This endpoint authenticates the user. Initiating the SAML handshake, the user provides authentic credentials and is redirected back to the sample application, along with a SAML assertion.
Within the OAuth Authorization Server template, you will need to modify the branch representing the SAML Bearer grant type. It should be tailored to only trust a specific SAML issuer. A placeholder suggests the proper location within the Layer 7 policy – this is where you would define a federated identity provider to allow as an issuer:
Initiating the OAuth handshake sends the SAML assertion to the authorization server. An access token is generated and redirected back to the client application.