Share via

Using a saml assertion to get authorisation for graph api

Anonymous
2020-01-21T15:39:35+00:00

Our organisation uses sso to log in to Office365 and our own intranet. The sso process returns a saml2 assertion, which is available to our code.

I was hoping to use this to get an authorisation token to access the graph api.

I have followed the instructions here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-saml-bearer-assertion

and I end up with an error: "AADSTS50107: The requested federation realm object 'https://sts.windows.net/xyzzy/' does not exist."

I have come to the conclusion that this is because our Office365 domain is managed, not federated, and that this won't work with a managed domain (though it's not obvious why not).

I have also followed the instructions here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow

and I end up with a different error: "AADSTS700001: Application: spn:xyzzy needs to opt-in for 'aio' optional claim for On Behalf Of flow to work with SAML tokens issued to this application".

I don't know how to opt-in for 'aio' optional claim. This claim doesn't appear in the list in the application config.

I would be grateful for any help in getting past either of these two errors, or for any alternative approach that would enable me to get an authorisation token for graph api using the saml assertion.

Thansk

Microsoft 365 and Office | Subscription, account, billing | For home | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

Anonymous
2020-01-22T05:40:33+00:00

Hello cmgharris,

Using a SAML assertion to get authorisation for graph api is part of Azure Active Directory (Azure AD) for developers. We are Office 365 support team and mostly help users with Office 365 problems. Although multiple Office 365 identity and authorization are based on AAD, but please forgive us for not having enough professional knowledge to help you with this symptom.

To better help you, we recommend you post your concern in Stack Overflow forum for further assistance. Engineers there have more expert experiences to help you with this symptom. Here arethe Support and help options for developers for your reference.

Thanks for your understanding and cooperation.

Best Regards,

Sylvie

Was this answer helpful?

0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-01-22T08:51:39+00:00

    Ok thanks

    Was this answer helpful?

    0 comments