0

my team is building a healthcare React application and we are using Auth0 for authentication. We are required to have SAML integration for healthcare institutions.

I have set up the Assertion Consumer Service endpoint in our application. I have set up a Keycloak instance as our internal test IDP. Right now, it is able to receive SAML responses with the assertion from the test IDP.

From here on, I’m not sure what to do next. I have read that I can request an auth token using the SAML assertion. When I try invoking this command:

curl -X POST “/oauth/token” -H “Content-Type: application/x-www-form-urlencoded” -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<64 base encoded assertion>

I get " {“error”:“unauthorized_client”,“error_description”:“Grant type ‘urn:ietf:params:oauth:grant-type:saml2-bearer’ not allowed for the client.”,“error_uri”:“”}"

What am I doing wrong? Thanks!

Improve this question
1

1 Answer 1

Reset to default
0

From here on, I’m not sure what to do next. I have read that I can request an auth token using the SAML assertion. When I try invoking this command:

The SAML assertion is the token (although it is more like an ID token than an access token).

Your app itself is already the destination or "audience", so you can't forward the SAML assertion anywhere else; you're its sole consumer.

What you do next is use a SAML library to validate its signature (against the IdP certificate), then parse it as XML to extract the asserted attributes (e.g. user ID, email address, full name, etc). Use one of those attributes (typically 'subject-id') to map the session to your internal user database, and/or use other attributes (like 'groups') to directly determine user roles.

After that, your ACS endpoint can issue some kind of auth token (of your own choice) for your JS app to use.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.