locked
ACS: obtaining JWT token from SAML RRS feed

  • Question

  • Hello All,

    how to obtain JWT token from SAML token using ACS federated with ADFS issuing SAML token?

    I know how to get SWT token making POST request to /WRAPv0.9

    Is there any similar or OAuth 2.0 based method?

    So far I found no details. Any pointer would help.

    Wednesday, March 18, 2015 4:12 PM

Answers

All replies

  • Hi Tomasz,

    Thanks for posting here!

    You can obtain JWT token directly from ADFS. However you need to convert it, I think by using Azure ACS.

    Please see this thread link: https://social.msdn.microsoft.com/Forums/azure/en-US/dc541426-22fc-41a0-8c2e-a33701f6ebfd/get-a-jwt-token-from-a-rp-using-adfs-as-ip?forum=WindowsAzureAD

    Hope this information finds you well.

    Regards,

    Sadiqh

    Wednesday, March 18, 2015 7:34 PM
  • Thank you, Sadiqh.

    The thing is I do NOT want to obtain my token from ADFS since in my corporation upgrade from version 2.0 and/or turning on required options is next to impossible.

    As I stated: I need to obtain JWT from ACS.

    I would appreciate any pointers.

    Regards,

    Tomasz


    Thursday, March 19, 2015 10:02 AM
  • Does this help?

    http://blogs.msdn.com/b/adventurousidentity/archive/2011/09/18/acs-v2-oauth-2-0-delegation-support-explained.aspx
    #4: POST a HTTP request to ACS OAuth2 endpoint for an access tokenACS returns the access token and refresh token in a JSON object in the response to the above request.

    Friday, March 20, 2015 8:56 PM
  • Imtiaz, I am uncertain. I see SAML nowhere mentioned in this publication.

    Here is the scenario: available ADFS returns SAML bearer tokens only, while I need some STS to convert them to JWT token.



    Monday, March 23, 2015 3:34 PM
  • The above article talks about programmatically posting to the ACS /v2/OAuth2-13 endpoint, I am not sure if you have this option in your STS.

    Have you considered moving the App to trust AAD (Federation Provider) which in turn federates with ADFS. If the application uses OpenIDConnect/OAuth with Azure AD, it will take care of it for you.

    So it would look like

    App à [OpenIDConnect/OAuth Request] à AAD à [WS-Fed Request] à ADFS à [SAML token] à AAD à [JWT token] à App

    Wednesday, March 25, 2015 3:00 PM
  • Well, in corporate environment you do not just freely move apps around, especially you do not freely move/federate security control to/with third-party controlled service like AAD :(

    Thanks,

    Tomasz

    Tuesday, March 31, 2015 1:29 PM
  • Thomas, ACS has a way to configure the "Token Format" on the "Edit Relying Party Application" page:
    https://msdn.microsoft.com/en-us/library/gg185950.aspx#BKMK
    The Token format property determines the format of the tokens that ACS issues for the relying party application. ACS can issue SAML 2.0, SAML 1.1, SWT, or JWT tokens.

    Wednesday, April 1, 2015 10:14 PM