在SAML2.0身份验证之后调用Graph API.如何获得所需的身份验证令牌 [英] Calling the Graph api after SAML2.0 auth. How do I get the Auth token required

问题描述

我们的Web ap通过SAML2.0与Azure AD进行身份验证，类似于

Our web aap is authenticating with the Azure AD via SAML2.0 similar to this.

作为回报，我们得到SAML断言(SAML令牌).

In return we get SAML assertion(SAML token).

但是，如果登录的用户有超过150个组，则响应中将不包含组信息(因此令牌大小不会超过HTTP标头大小限制.有关

But when the user who logs in have more then 150+ groups the response doesn't contain the group information(so that token size doesn’t exceed HTTP header size limits. More info on this)

但是返回的结果是一个图Api，它会被击中以获取组信息，例如 https://graph. Windows.net/ {租户ID}/用户/{用户ID}/getMemberObject.

But what it return is a Graph Api to be hit to get the group information something like https://graph.windows.net/{tenant id}/users/{user id}/getMemberObject.

通过我了解我需要在http请求中附加一个Auth承载令牌，才能成功命中图形api. 我的问题是如何获得身份验证承载令牌? 如何使用SAML令牌获取Auth承载令牌?

I understand that I need to attach a Auth bearer token with the http request to hit the graph api successfully. My problem is how do I get the Auth bearer token? How can I use the SAML token to get the Auth bearer token?

其他有用的链接-链接1 推荐答案

我仅通过 ADAL 库，但来自

I've only used the non SAML graph API using the ADAL libraries but from the docs it appears the NameID seems to be the basis for requesting an access token for the Graph API:

<Subject>
  <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">m_H3naDei2LNxUmEcWd0BZlNi_jVET1pMLR6iQSuYmo</NameID>
  <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>

从此帖子，

此处客户端从SAML身份获取SAML承载声明 提供商然后从授权服务器请求访问令牌 使用SAML承载声明作为身份证明"

"Here the Client gets a SAML bearer assertion from the SAML Identity Provider then requests an access token from the Authorisation Server using the SAML bearer assertion as proof of identity"

和此文章指出整个Assertion用于获取访问令牌，您可以在其中:

and this article states the entire Assertion is used to get the access token, where you:

在添加之前使用base64url编码对整个断言进行编码 作为POST请求的一部分

encode the whole assertion by using base64url encoding before adding it as part of the POST request

这篇关于在SAML2.0身份验证之后调用Graph API.如何获得所需的身份验证令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！