OAuth 2.0 SAML bearer assertion flow

Question

I am trying to use OAuth 2.0 SAML bearer assertion flow

where I exchange SAML assertion for an access token however I am getting error

"error":"invalid_request","error_description":"AADSTS50107: The requested federation realm object 'https://sts.windows.net/tenantid/' does not exist." ..

Can you please help me with what needs to be checked and what could be missing?

Answer 1

@Rahul Kaim , I am afraid there are no documents available that explains the creation/use of SOAP envelop. But I had used a sample SOAP envelop to test the same in my lab. I had used it with ADFS. Please find the sample SOAP envelope below:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"  
            xmlns:a="http://www.w3.org/2005/08/addressing"  
            xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">  
  <s:Header>  
    <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>  
    <a:To s:mustUnderstand="1">https://<ADFS Service Name>/adfs/services/trust/13/UsernameMixed</a:To>  
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">  
      <o:UsernameToken>  
        <o:Username><upn of the federated domain user></o:Username>  
        <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Password</o:Password>  
      </o:UsernameToken>  
    </o:Security>  
  </s:Header>  
  <s:Body>  
    <trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">  
      <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">  
        <a:EndpointReference>  
          <a:Address>urn:federation:MicrosoftOnline</a:Address>  
        </a:EndpointReference>  
      </wsp:AppliesTo>  
      <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>  
      <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>  
    </trust:RequestSecurityToken>  
  </s:Body>  
</s:Envelope>  

Here you need to set the ADFS Service Name, Upn of the user from the on-prem domain and its password in the respective lines within this SOAP Envelope and we need to send this in the body of the following request to ADFS:

https://<adfs-service-name>/adfs/services/trust/13/usernamemixed

Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

Answer 2

@Rahul Kaim , Are you trying submitting the SAML assertion to AAD itself or to some other IDP? I ask this question because, the SAML Bearer assertion flow is meant for only Federated Domains and not for managed Domains, as the response shared by IDP (in case of a managed domain) is not trusted by that same IDP because the managed domain in not a part of the Azure Trusted domain list. In the Azure's Trusted Domain List only the federated domains are part of.

You can refer to the following: https://github.com/MicrosoftDocs/azure-docs/issues/45071

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.