3

We have Microsoft Active Directory Federation Services (ADFS) as our authentication/federation provider. We use it for performing identity federation via SAML to several external vendors, SaaS providers, etc. In addition, we have several vendors that only support OAuth, so we have configured integrations with those vendors using ADFS 2016’s OAuth support. As such, we are able to generate both SAML assertions and OAuth access tokens, as needed.

Now we have run into a situation where Vendor A (configured for SAML auth) needs to make a RESTful service call to Vendor B (configured to require OAuth tokens). Is there a way to convert an ADFS-generated SAML assertion into an ADFS-generated OAuth token? Given that both credentials are generated by ADFS, I would think that ADFS would have a way of performing the conversion. Is there an endpoint where I can POST a SAML assertion and get back the OAuth token in return? Any help would be GREATLY appreciated!!

Shadowman
  • 71
  • 1
  • 8

1 Answers1

0

While I can't give you and answer for ADFS and Oauth, I can give you some experience with regard to integrating two different web-based SSO systems, which may give you something to think about.

In my situation, I was wanting to get a Shibboleth IdP (same role as ADFS with SAML 2.0) to make use of an existing propriatary SSO system.

What I did was to configure my IdP to make use of 'external' authentication, in which case I had the proprietary SSO system guard just the external authentication URL; so that when people went to log-in they would hit the external-auth URL --- and work through the other SSO system --- then come back in an authenticated state to get through the external-auth URL to the IdP, which would then grant them a session.

This illustrates that that you don't really 'convert' one system to the other, but you can uplift one to the other using external authentication.

A word of warning: logout becomes more of an issue. I had to customise the SLO templates that come with the IdP to integrate the other systems logout system too.... ADFS won't be that flexible.

Cheers, Cameron

Cameron Kerr
  • 3,919
  • 18
  • 24