SAML 2.0 Bearer Assertion Flow for OAuth 2.0 Client

There are service provider types delivered by SAP, for example, SAP JAM, that use SAML 2.0 bearer assertion flow to grant the OAuth 2.0 client an access token.

To access a resource protected by OAuth 2.0, an OAuth 2.0 client must authenticate using an access token. The grant type SAML 2.0 bearer assertion is used to get an initial access token from an OAuth 2.0 authorization server. The AS ABAP triggers SAML 2.0 bearer assertion flow without interaction from users. As a prerequisite, a trust relationship between the authorization server and the AS ABAP must be in place so that SAML 2.0 bearer assertions can be issued by the AS ABAP and be accepted by the authorization server.

The grant type SAML 2.0 bearer assertion refers to the IETF draft of SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants. For more information, see the IETF web site.

1. The OAuth 2.0 client triggers the SAML 2.0 bearer assertion flow by issuing a local SAML 2.0 bearer assertion.
2. The AS ABAP embeds the SAML 2.0 bearer assertion in the access token request and sends it to the authorization server.
3. The OAuth 2.0 client authenticates, and the authorization server validates the SAML 2.0 bearer assertion. The authorization server sends an access token response containing the access token. This step completes the SAML 2.0 bearer assertion flow.
4. From then on, the OAuth 2.0 client can use the access token received in the previous step to access resources that are protected by OAuth 2.0 and are stored on the resource server.

Perform the SAML 2.0 bearer assertion flow if no access token is available in the the OAuth 2.0 client. This flow can also be executed later if the access tokens have expired. You can also use the refresh flow to issue refresh tokens. This flow does not require any user interaction.