my team is building a healthcare React application and we are using Auth0 for authentication. We are required to have SAML integration for healthcare institutions.
I have set up the Assertion Consumer Service endpoint in our application. I have set up a Keycloak instance as our internal test IDP. Right now, it is able to receive SAML responses with the assertion from the test IDP.
From here on, I’m not sure what to do next. I have read that I can request an auth token using the SAML assertion. When I try invoking this command:
curl -X POST “/oauth/token” -H “Content-Type: application/x-www-form-urlencoded” -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<64 base encoded assertion>
I get " {“error”:“unauthorized_client”,“error_description”:“Grant type ‘urn:ietf:params:oauth:grant-type:saml2-bearer’ not allowed for the client.”,“error_uri”:“”}"
What am I doing wrong? Thanks!
From here on, I’m not sure what to do next. I have read that I can request an auth token using the SAML assertion. When I try invoking this command:
The SAML assertion is the token (although it is more like an ID token than an access token).
Your app itself is already the destination or "audience", so you can't forward the SAML assertion anywhere else; you're its sole consumer.
What you do next is use a SAML library to validate its signature (against the IdP certificate), then parse it as XML to extract the asserted attributes (e.g. user ID, email address, full name, etc). Use one of those attributes (typically 'subject-id') to map the session to your internal user database, and/or use other attributes (like 'groups') to directly determine user roles.
After that, your ACS endpoint can issue some kind of auth token (of your own choice) for your JS app to use.