Saml Bearer Assertions

• RFC
• Rodauth options

The oauth_saml_bearer_grant feature implements the SAML 2.0 profile for OAuth 2.0 Client Authentication and Authorization Grants.

This feature requires the ruby-saml gem.

Who is it for

It is meant to be used by systems where the OAuth Authorization Server is decoupled from the Identity Provider, and the Identity Provider is a SAML 2.0 Identity Provider.

How to use it

plugin :rodauth do
  enable :oauth_saml_bearer_grant
end

Attributes

SAML settings are bound to a client application, and stored in its own database table, identified by the oauth_saml_settings_table auth method (default: :oauth_saml_settings). They contain the following attributes:

id

• option: oauth_saml_settings_id_column
• default: :id

The SAML settings primary key.

oauth application id

• option: oauth_saml_settings_oauth_application_id_column
• default: :oauth_application_id

The client application associated with the SAML settings.

Identity provider certificate

• option: oauth_saml_settings_idp_cert_column
• default: :idp_cert

The Identity Provider certificate (in PEM format).

check Identity provider certificate expiration

• option: oauth_saml_settings_idp_cert_check_expiration_column
• default: :idp_cert_check_expiration

Whether to check for the aforementioned certificate expiration.

Identity provider certificate fingerprint

• option: oauth_saml_settings_idp_cert_fingerprint_column
• default: :idp_cert_fingerprint

The Identity Provider certificate fingerprint.

Identity provider certificate fingerprint algorithm

• option: oauth_saml_settings_idp_cert_fingerprint_algorithm_column
• default: :idp_cert_algorithm

The Identity Provider certificate fingerprint algorithm.

Name Identifier format

• option: oauth_saml_settings_name_identifier_format_column
• default: :name_identifier_format

The name identifier format to extract the user identifier with from the SAML assertion.

Name Identifier format

• option: oauth_saml_settings_name_identifier_format_column
• default: :name_identifier_format

The SAML name identifier format (when not set the value of the auth method oauth_saml_name_identifier_format, which is "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" by default).

Issuer

• option: oauth_saml_settings_issuer_column
• default: :issuer

The SAML assertion issuer.

Audience

• option: oauth_saml_settings_audience_column
• default: :audience

The SAML assertion audience (when not set, the OAuth provider token url will be used when validating the assertion).

URLs

/token

The token endpoint supports receiving the following arguments:

• "grant_type" can receive "urn:ietf:params:oauth:grant-type:saml2-bearer";
• "assertion" should receive the SAML assertion;

Client Authentication

The oauth_saml_bearer_grant feature can be used for token endpoint client authentication.

when paired with, p.ex. the authorization code grant, it supports these extra parameters:

• "client_assertion_type" can receive "urn:ietf:params:oauth:client-assertion-type:saml2-bearer";
• "client_assertion" should be the SAML assertion;

along with, p.ex. "grant_type=authorization_code&code=eos234..234"

Home