Answered by:
ACS: obtaining JWT token from SAML

Question
-
Hello All,
how to obtain JWT token from SAML token using ACS federated with ADFS issuing SAML token?
I know how to get SWT token making POST request to /WRAPv0.9
Is there any similar or OAuth 2.0 based method?
So far I found no details. Any pointer would help.
Wednesday, March 18, 2015 4:12 PM
Answers
-
Thomas, ACS has a way to configure the "Token Format" on the "Edit Relying Party Application" page:
https://msdn.microsoft.com/en-us/library/gg185950.aspx#BKMK
The Token format property determines the format of the tokens that ACS issues for the relying party application. ACS can issue SAML 2.0, SAML 1.1, SWT, or JWT tokens.- Proposed as answer by Imtiaz Hussain Tuesday, April 7, 2015 9:04 PM
- Marked as answer by Neelesh Ray -MSFTMicrosoft employee Tuesday, April 14, 2015 2:39 PM
Wednesday, April 1, 2015 10:14 PM
All replies
-
Hi Tomasz,
Thanks for posting here!
You can obtain JWT token directly from ADFS. However you need to convert it, I think by using Azure ACS.
Please see this thread link: https://social.msdn.microsoft.com/Forums/azure/en-US/dc541426-22fc-41a0-8c2e-a33701f6ebfd/get-a-jwt-token-from-a-rp-using-adfs-as-ip?forum=WindowsAzureAD
Hope this information finds you well.
Regards,
Sadiqh
Wednesday, March 18, 2015 7:34 PM -
Thank you, Sadiqh.
The thing is I do NOT want to obtain my token from ADFS since in my corporation upgrade from version 2.0 and/or turning on required options is next to impossible.
As I stated: I need to obtain JWT from ACS.
I would appreciate any pointers.
Regards,
Tomasz
- Edited by Tomasz Jastrzębski Thursday, March 19, 2015 10:03 AM
Thursday, March 19, 2015 10:02 AM -
Does this help?
http://blogs.msdn.com/b/adventurousidentity/archive/2011/09/18/acs-v2-oauth-2-0-delegation-support-explained.aspx
#4: POST a HTTP request to ACS OAuth2 endpoint for an access tokenACS returns the access token and refresh token in a JSON object in the response to the above request.Friday, March 20, 2015 8:56 PM -
Imtiaz, I am uncertain. I see SAML nowhere mentioned in this publication.
Here is the scenario: available ADFS returns SAML bearer tokens only, while I need some STS to convert them to JWT token.
- Edited by Tomasz Jastrzębski Tuesday, March 24, 2015 9:28 AM
Monday, March 23, 2015 3:34 PM -
The above article talks about programmatically posting to the ACS /v2/OAuth2-13 endpoint, I am not sure if you have this option in your STS.
Have you considered moving the App to trust AAD (Federation Provider) which in turn federates with ADFS. If the application uses OpenIDConnect/OAuth with Azure AD, it will take care of it for you.
So it would look like
App à [OpenIDConnect/OAuth Request] à AAD à [WS-Fed Request] à ADFS à [SAML token] à AAD à [JWT token] à App
Wednesday, March 25, 2015 3:00 PM -
Well, in corporate environment you do not just freely move apps around, especially you do not freely move/federate security control to/with third-party controlled service like AAD :(
Thanks,
Tomasz
Tuesday, March 31, 2015 1:29 PM -
Thomas, ACS has a way to configure the "Token Format" on the "Edit Relying Party Application" page:
https://msdn.microsoft.com/en-us/library/gg185950.aspx#BKMK
The Token format property determines the format of the tokens that ACS issues for the relying party application. ACS can issue SAML 2.0, SAML 1.1, SWT, or JWT tokens.- Proposed as answer by Imtiaz Hussain Tuesday, April 7, 2015 9:04 PM
- Marked as answer by Neelesh Ray -MSFTMicrosoft employee Tuesday, April 14, 2015 2:39 PM
Wednesday, April 1, 2015 10:14 PM