question

Sunny987 avatar image
0 Votes"
Sunny987 asked ·

OAuth OBO Flow Azure AD

Hi Team,

I hope everyone is safe and well !!

Need your expertise on this issue :

We are trying to convert Access token to SAML token using the OAuth OBO grant type. While we request to get SAML assertions using Access token we put details such as "resource = ABC" however in saml response it is getting as "audience = spn: ABC."

The issue is we get spn with a resource value in saml response that is not acceptable by our application team. Can you please shed some lights Why we are getting spn appended in SAML audience value?

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@rahul987, I did try this out in lab and I was able to repro the exact issue.

The SAML response would contain the audience = spn: {Guid}, if you specify the resource as the {Guid}

7643-obo.png


This is by design. In place of the {Guid}, I tested with an api like https://graph.microsoft.com or api://{api-app-id}/user_impersonation, then in the audience would list as audience = https://graph.microsoft.com or audience = api://{api-app-id}/user_impersonation. In this case the spn wont be there.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.




obo.png (27.3 KiB)
obo.png (27.3 KiB)
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@rahul987, Just wanted to followup with you to check if the above response helped in answering your query. If it did, please do not forget to accept the response as Answer; if the above response helped in answering your query. If it didn't, please do let us know so that we can try to help you f

0 Votes 0 ·
Sunny987 avatar image
0 Votes"
Sunny987 answered ·

Thanks for the suggestion,

See I have App 01 (created under app registration Oauth auth code grant) and APP 02 is SAML app . App01 connects to saml app02 and app02 has metadata with entity id =ABC. Now If I open the app02 Saml app in the application registration blade and go to expose API tab then I see Application ID URI = ABC.

How can I change to this format api://{api-app-id}/user_impersonation ? Should I edit the value ABC and put it in this format? Will this have any impact on the application ?

Does user_impersonation parameter is mandatory?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

Sunny987, When you register a non-gallery SAML app in AAD under the enterprise registration section, as you mentioned the entity ID field of that app gets auto-populated from the details present in the application's metadata, which in your case got filled with entity ID = ABC.

Now, this non-gallery app's entry would also be present in the App registration section of AAD, from where you can expose this non-gallery SAML app as an API. Once you try to expose this app as an api, you would see that the Application ID URI value is pre-populated with the value same as that of the entity ID.

In this case, if your entity ID is just a {guid} i.e an app-id then when you use the OBO flow and get the SAML response, you would get the audience in the SAML response as spn:{guid} or spn:{app-id}. But in case your entity ID is in the format https://ABC or api://ABC then, when you use the OBO flow and get the SAML response, you would get the audience in the SAML response as https://ABC or api://ABC.

Now it depends on the app metadata what it is fed with. You can change the details while you expose the SAML app as an api to which ever format you want but that might break the actual functioning of the app.

Coming to the second query, where you wanted to know if the user_impersonation permission is mandatory or not. The answer to that is yes, its mandatory and AAD on its own creates the user_impersonation permission, when you try to expose a non-gallery SAML app as an API.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

· 8 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Sunny987, I wanted to followup and wanted to understand if the above response helped in answering your query. If it did, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·

@soumi-MSFT thanks for the detailed explanation.

What I did - I go to the application object of SAML app >expose API>then added Application ID URI = API://ABC > which then propagated the same value in the entity in SAML enterprise blade which is service principal of SAML app.

We changed both URI and entity id in the same format but we are now getting API://ABC in the audience?



Is there proper documentation on how to make sure each and everything in code while doing this flow?



0 Votes 0 ·

@Sunny987, Thank you for sharing the details. Both the parameters Entity ID and Application ID URI are connected in the backend. You change the value of one parameter that reflects on the other parameter.

The fact that really matters is what you actual application expects to be sent as audience by AAD. Based on that you make the configuration on AAD. As mentioned earlier if your entity ID is just a {guid} i.e an app-id then when you use the OBO flow and get the SAML response, you would get the audience in the SAML response as spn:{guid} or spn:{app-id}. But in case your entity ID is in the format https://ABC or api://ABC then, when you use the OBO flow and get the SAML response, you would get the audience in the SAML response as https://ABC or api://ABC.

I dont think these things are specifically mentioned in any docs as of now.

Hope this helps.
.

0 Votes 0 ·
Show more comments