Exchanging SAML Assertion for AuthToken in SAML 2.0 Assertion Flow

I am following Okta’s documentation at this link (Implement authorization by grant type | Okta Developer) to setup an application that uses the SAML 2.0 Assertion Flow. The instructions at this link did not appear to coincide with what the AIW (Application Integration Wizard) showed for setting up an App using this flow. I was unable to obtain a ClientId and ClientSecret for this app. Apparently I need to supply a digest of the ClientId and ClientSecret in the Authorization header when I make an invocation to the Okta ‘/token’ endpoint while exchanging the SAML 2.0 Assertion that you get back for the Authentication token (and Id Token etc). If anyone has done this, please tell me the right approach for this. Thanks.

Hi @ronnie-bs! Did you also create an OIDC App as demo-ed in this SAML Assertion Flow Sample?

Hi @sigama, I am using an Okta Developer Account. In that when I try to create an app, the options available for me are the following:


And if I choose the OIDC option, the Grant Types available for me are only:


I do not see the ‘SAML 2.0’ option in the grant type as can be seen in the link you have shared. Wonder if it is because I am in a Developer Okta Account?

If you create a Native OIDC app, do you see the option available?

@Andrea, Yes I see the option for SAML 2.0 and Refresh Token Grant Types along with Client Authentication performed through authCode w/ PKCE. Thank you so much. It would be great if you could update the documentation here for the benefit of other readers in the future. Thank you

It should be possible to configure a different app type with that grant type via API, but this appears to be a limitation in the UI, which I’ll look into.

Ok @Andrea, thank you again.