In this scenario, a client obtains an assertion, either a SAML 2.0 bearer assertion or a JSON Web Token (JWT) bearer token, and makes an HTTP request to the PingFederate OAuth AS to exchange the assertion for an access token. The OAuth AS validates the assertion and returns an access token. The client uses the token in an API call to the RS to obtain data.

Assertion grant profile
User orRequesting applicationUser orRequesting applicationClient applicationClient applicationPingFederate IdPPingFederate IdPPingFederate ASPingFederate ASRSRS1Request to access resourcesRealizes that this request requiresuser data from another site (RS)2Assertion requestAssertion3Token requestAcccess token4Request to access user dataValidates access tokenRequested user dataRequested resources

Processing steps

  1. A user-initiated or client-initiated event, such as a mobile application or a scheduled task, requests access to software as a service (SaaS) protected resources from an OAuth client application.
  2. The client application obtains an assertion from an IdP.
    Note:

    When using SAML assertions as authorization grants, client applications must obtain assertions that meet the requirements defined in RFC7522. Do not use SAML assertions acquired through browser single sign-on (SSO) profiles here.

  3. The client application makes an HTTP request to the PingFederate OAuth AS to exchange the assertion for an access token. The OAuth AS validates the assertion and returns the access token.
  4. The client application adds the access token to its API call to the RS. The RS returns the requested data to the client application.