OAuth SAML2 Bearer Authentication(Okta)

masahiro.motoori · May 22, 2023, 8:03am

I'm having trouble with the SAML2Bearer authentication method. I'm trying to perform SAML2Bearer authentication and retrieve an access token, but I'm unable to do so even after referring to this link (https://developer.genesys.cloud/authorization/platform-auth/use-saml2-bearer).
I'm using Okta as the IdP, and GenesysCloud is registered with Okta. I have also registered the integration details between Okta and GenesysCloud, and I have confirmed that login through SSO is possible.

Objective:
I want to use the SAML2Bearer authentication method provided by GenesysCloud and obtain an access token.

Questions:
I would like to know how to obtain the assertion information, which is a parameter for SAML2Bearer, as mentioned in the above link.
grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=

What I have investigated and done:

I generated a SamlRequest for GenesysCloud and sent it to Okta, but I received an error. When I created a separate SP and registered it with Okta, I was able to receive the SamlResponse (assertion) successfully.
I obtained the source code from the following GitHub repository and executed it, but I couldn't retrieve the assertion.
GitHub - MyPureCloud/saml2bearer-oauth-example
I tried sending a SAML2Bearer authentication request to https://login.mypurecloud.jp/oauth/token using the assertion returned from the custom SP in step 1 as a parameter, but it resulted in an error. I also made sure to encode it in Base64.

4.When I send the SamlResponse assertion, which is issued when clicking on the Okta image link on the GenesysCloud login page, to https://login.mypurecloud.jp/oauth/token, I receive a 400 error with "error": "invalid_request".

tim.smith · May 23, 2023, 5:01pm

Okta gives it to you on the post back to your app/service after the user completes authentication with Okta. This is handled in the example here: saml2bearer-oauth-example/server.js at master · MyPureCloud/saml2bearer-oauth-example · GitHub.

masahiro.motoori · May 24, 2023, 1:22am

Thanks for tim reply.

The part of your reply I understood too.

The question is, what do I throw the request to Okta to authenticate?

I am not getting a SamlResponse back from Okta, which is SSO linked to GenesysCloud.
With SPs other than GenesysCloud, SamlResponse is returned from Okta, but with GenesysCloud, an error occurs.

I would like to know just what SamlRequest to throw to Okta.

tim.smith · May 30, 2023, 9:40pm

The redirect to Okta is shown here: saml2bearer-oauth-example/index.html at master · MyPureCloud/saml2bearer-oauth-example · GitHub. Also see the readme in the repo in the Okta App section that links to the Genesys Cloud documentation for details about how to configure the Genesys Cloud side and which also links to the Okta documentation for how to configure the okta side.

masahiro.motoori · June 5, 2023, 2:52am

I'm sorry, it seems like my intended message didn't come across clearly.

I am not interested in redirects. I want to know how to obtain the assertion for sending a SAML Request. Specifically, I would like to know how to obtain the SAML Assertion from the in the following link: https://developer.genesys.cloud/authorization/platform-auth/use-saml2-bearer#requesting-an-access-token.

I would like to retrieve the assertion information mentioned in this source code: saml2bearer-oauth-example/server.js at master · MyPureCloud/saml2bearer-oauth-example · GitHub.

In this source code, it appears that Okta is posting to node.js as shown here: saml2bearer-oauth-example/server.js at master · MyPureCloud/saml2bearer-oauth-example · GitHub. How did you configure Okta for this?

Even if you configure SSO between GenesysCloud and Okta, I don't think Okta will post to your custom node.js server.

HirotoMasaki · June 28, 2023, 5:48am

I'm not an API/SSO expert, but just to make sure, but Motoori-san, did you follow the Tim's comment that says "and which also links to the Okta documentation for how to configure the okta side", including the "Okta App" section pointed by GitHub - MyPureCloud/saml2bearer-oauth-example. Let's also see what Tim would have to say. Thanks,

masahiro.motoori · June 28, 2023, 6:20am

Masaki-san,

Thank you for your response. I appreciate it. Yes, I have indeed configured Okta. On the same Okta instance, I have registered the following:

Okta (IdP) ⇔ GenesysCloud (SP)
Okta (IdP) ⇔ Sample App - saml2bearer-oauth-example (SP)

Regarding Tim's comment, "Also see the readme in the repo in the Okta App section that links to the Genesys Cloud documentation for details about how to configure the Genesys Cloud side and which also links to the Okta documentation for how to configure the Okta side," I am aware of this. I followed the instructions in the documentation while registering. Multiple times.

SSO between GenesysCloud and Okta is successful, but the Saml2Bearer authentication is failing.

日本語訳
マサキさん
返信ありがとうございます。もちろんOktaの設定を行いました。
同一Okta上に

Okta(IdP)⇔GenesysCloud(SP)
Okta(IdP)⇔サンプルアプリ- saml2bearer-oauth-example .(SP)

を登録しました。
Timさんのコメント「 Also see the readme in the repo in the Okta App section that links to the Genesys Cloud documentation for details about how to configure the Genesys Cloud side and which also links to the Okta documentation for how to configure the okta side.」
は既知の事実で、手順書に従いながら登録しました。何度も。

GenesysCloudとOktaのSSOは成功しますが、Saml2Beare認証は失敗します。

system · July 29, 2023, 6:21am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.