In this scenario, a client obtains an assertion (a SAML 2.0 bearer assertion or a JWT bearer token) and makes an HTTP request to the PingFederate OAuth AS to exchange the assertion for an access token. The OAuth AS validates the assertion and returns an access token. The client uses the token in an API call to the resource server (RS) to obtain data.

Assertion grant profile
User orRequesting applicationUser orRequesting applicationClient applicationClient applicationPingFederate IdPPingFederate IdPPingFederate ASPingFederate ASRSRS1Request to access resourcesRealizes that this request requiresuser data from another site (RS)2Assertion requestAssertion3Token requestAcccess token4Request to access user dataValidates access tokenRequested user dataRequested resources

Processing steps

  1. Some user-initiated or client-initiated event (for example, a mobile application or a scheduled task) requests access to Software as a Service (SaaS) protected resources from an OAuth client application.
  2. The client application obtains an assertion from an Identity Provider (IdP); for example, the PingFederate IdP server.
    Note:

    When using SAML assertions as authorization grants, client applications must obtain assertions that meet the requirements defined in RFC7522. Do not use SAML assertions acquired through Browser SSO profiles here. Refer to the specification for more information.

  3. The client application makes an HTTP request to the PingFederate OAuth AS to exchange the assertion for an access token. The OAuth AS validates the assertion and returns the access token.
  4. The client application adds the access token to its API call to the RS. The RS returns the requested data to the client application.