Is it possible to get an access token from ADFS with SAML authentication and use the Graph API? Also, if possible, what should I do?

大坂 翔 141 Reputation points
2021-10-04T01:17:20.51+00:00

Is it possible to get an access token from ADFS with SAML authentication and use the Graph API?
Also, if possible, what should I do?

The environment is Nodejs.

If anyone is familiar with it, I would be grateful if you could let me know.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,222 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,536 questions
{count} votes

Accepted answer
  1. Siva-kumar-selvaraj 15,601 Reputation points
    2021-10-05T10:57:56.413+00:00

    Hello @大坂 翔 ,

    Thanks for reaching out.

    May I know reason why you wanted to get access_token from ADFS to access Graph API? are you trying to use on-premises account to authenticate and get access to graph API?

    Because, you can't get access_token with SAML authentication as per OASIS standard from ADFS directly. Alternatively, when you have federation in place between Azure AD and with ADFS which is known as hybrid identity federation scenarios (for an example, Azure AD and ADFS used to authenticate on-premises accounts) in this case when on-premises user account try accessing protected resources like Graph API then flow would be:

    • On-premises user redirected to ADFS for authentication to get SAML token since federation in place with Azure AD.
    • Upon Azure AD received success SAML token for federated users from ADFS, then Azure AD issue new set of JWT token ( Access_token) for federated user to access Graph API resource.

    137414-image.png

    To know more about What is federation with Azure AD , refer.

    The recommended and best way is to get access_token directly from Azure AD is to use any of these methods like Get access on behalf of a user , Get access without a user etc..,

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


1 additional answer

Sort by: Most helpful
  1. Jai Verma 461 Reputation points
    2021-10-05T18:35:18.353+00:00

    Hello @大坂 翔 ,

    If you want to access Azure AD Graph API - it is not possible as Graph API is interated with Azure AD and not with ADFS.

    However, if you have your own APIs, you can secure it with ADFS and get access token for your APIs.

    0 comments No comments