OAuth OBO Flow Azure AD

Question

Hi Team,

I hope everyone is safe and well !!

Need your expertise on this issue :

We are trying to convert Access token to SAML token using the OAuth OBO grant type. While we request to get SAML assertions using Access token we put details such as "resource = ABC" however in saml response it is getting as "audience = spn: ABC."

The issue is we get spn with a resource value in saml response that is not acceptable by our application team. Can you please shed some lights Why we are getting spn appended in SAML audience value?

Answer 1

@rahul987, I did try this out in lab and I was able to repro the exact issue.

The SAML response would contain the audience = spn: {Guid}, if you specify the resource as the {Guid}

This is by design. In place of the {Guid}, I tested with an api like https://graph.microsoft.com or api://{api-app-id}/user_impersonation, then in the audience would list as audience = https://graph.microsoft.com or audience = api://{api-app-id}/user_impersonation. In this case the spn wont be there.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

Answer 2

Thanks for the suggestion,

See I have App 01 (created under app registration Oauth auth code grant) and APP 02 is SAML app . App01 connects to saml app02 and app02 has metadata with entity id =ABC. Now If I open the app02 Saml app in the application registration blade and go to expose API tab then I see Application ID URI = ABC.

How can I change to this format api://{api-app-id}/user_impersonation ? Should I edit the value ABC and put it in this format? Will this have any impact on the application ?

Does user_impersonation parameter is mandatory?

Answer 3

Sunny987, When you register a non-gallery SAML app in AAD under the enterprise registration section, as you mentioned the entity ID field of that app gets auto-populated from the details present in the application's metadata, which in your case got filled with entity ID = ABC.

Now, this non-gallery app's entry would also be present in the App registration section of AAD, from where you can expose this non-gallery SAML app as an API. Once you try to expose this app as an api, you would see that the Application ID URI value is pre-populated with the value same as that of the entity ID.

In this case, if your entity ID is just a {guid} i.e an app-id then when you use the OBO flow and get the SAML response, you would get the audience in the SAML response as spn:{guid} or spn:{app-id}. But in case your entity ID is in the format https://ABC or api://ABC then, when you use the OBO flow and get the SAML response, you would get the audience in the SAML response as https://ABC or api://ABC.

Now it depends on the app metadata what it is fed with. You can change the details while you expose the SAML app as an api to which ever format you want but that might break the actual functioning of the app.

Coming to the second query, where you wanted to know if the user_impersonation permission is mandatory or not. The answer to that is yes, its mandatory and AAD on its own creates the user_impersonation permission, when you try to expose a non-gallery SAML app as an API.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.