SAML Bearer Assertion Flow in Office 365,Graph API with ADFS-1

The Puzzle


What is the challenge in getting authenticated and access data through Office 365 and Azure AD was the question when i started working on this concept. But to my surprise and learning on the way we understood there is much more to it which is not properly documented and would be helpful in case you are also coming across this particular scenario.So here is the question, what's the challenge and what is so interesting, is it not that office 365 and Azure AD works hand in hand and can possibly give you authentication tokens to access the hub which is called the The Graph API's.
Well, in this particular scenario there were series of challenges which could not be accomplished with the basic understanding on OAuth flows. So what's the ghost problem ?

Is it really that haunting ghost?

Well it was !

It all started with an intent of accessing the Graph API for different workloads in office 365 viz Accessing an outlook task,planner task or for that matter read Microsoft teams related information.
There were couple of approaches to take in this scenario and no matter which approach we take,it all boils down to fetch an OAuth Token as any resource accessible through Graph API is secured with Azure AD.
Basically i wanted to have the data in the background for the user, so the user should not be prompted for the credentials during the process, Hence as a first choice, client credentials flow is considered.This worked for quite a few API's, i believe mostly for all of the Graph API's which supports Application permission(for e.g SendMail,Read a sharepoint list item) while your register the App. However, for API's which does not support, its a complete dead end. To my research,there were no other flows as such which can help to fetch token/data without the prompt.
Ultimately, in the end i came to know that OAuth2 Token endpoint for AAD supports SAML assertion and SAML assertion is basically in the user context which means delegated permission will work.So in a nutshell below is the scenario.


High level Flow to Fetch OAuth Token based on SAML Assertion
In case you are still not getting what it is about. please check the step by step detailed POC in the next blog. For more details on
1. Application vs Delegated permission - click here
2. Different OAuth flows in Office 365 - click here

In the next post i will explain how you can fetch a SAML bearer token from ADFS. To know more, please check this post






Comments

Post a Comment

Popular posts from this blog

SAML Bearer Assertion Flow in Office 365,Graph API with ADFS-2

Image
In the previous post, we looked into the high level approach of fetching an OAuth token to get data from Graph API based on SAML assertion. Now let us understand on how we can actually fetch SAML Asserstion. OAuth 2.0 SAML Bearer Assertion Flow The OAuth 2.0 SAML bearer assertion flow defines how a SAML assertion is used to request an OAuth access token. A SAML assertion is an XML security token issued by an identity provider and consumed by a service provider. The service provider relies on its content to identify the assertion’s subject for security-related purposes. Pre-Requisites There is a trust relationship between the authorization server/environment- O365 and the issuer of the SAML 2.0 bearer assertion, which is the identity provider - ADFS. To configure ADFS for SSO and IDP you may refer to this article The application is registered in the office portal with below necessary configurations.Since we are using OAuth V2.0 endpoint,so need to register the application in
Read more