5.14.10 Exchanging SAML 2.0 Assertions with Access Token

Access Manager supports SAML 2 bearer grant. Access Manager supports only the authorization grant flow for assertion and the assertion is used for authenticating the user.

You can use SAML 2 assertions to request an access token. Access Manager validates the assertion and generates an access token for accessing OAuth protected resources.

Consider a scenario where a user requires to access an OAuth protected resource and the user is already authenticated using SAML assertion. To access the resource, the user requires to re-authenticate and give consent.

To avoid re-authentication and getting consent from user again, the application can use Access Manager to exchange the SAML 2 assertion with access token.

To use assertions for requesting an access token, you must configure the settings required for the assertion issuer. The assertion issuer is the identity provider that issues the SAML assertion. You can import the settings of Identity Server acting as a SAML identity provider or use any other third-party identity provider as an assertion issuer.


  • The access token received after exchanging with assertion includes the scopes based on the previous user consent that can be from using the authorization code flow.

  • The token time-out is based on the assertion time-out. For example, if an assertion is issued for 10 minutes and after 2 minutes the token is requested, the token is valid for 8 minutes.

    If an assertion is valid for longer duration, you can exchange the assertion with access token multiple times.

  • The assertion must be encoded with Base64 URL.