Issues setting up SAML 2.0 Assertion Grant Type

We’re trying to setup the SAML 2.0 Assertion grant type per the instructions here: Implement authorization by grant type | Okta Developer

No matter what I’ve tried, I can never get this to work! I always get a response saying:

    "error": "invalid_grant",
    "error_description": "'assertion' is not a valid SAML 2.0 Assertion."

and the Service Logs have nothing useful.

What are some things I should be checking? My certs look good, the issuer in the IdP I have registered in Okta matches what’s in the assertion.

I know the instructions say I have to upload metadata. Is it something with that? I’m not really sure what the heck that’s for right now

It might be beneficial to open a case with support as some of the assertion errors provide more detailed messages that we can check on the back end. Some common issues can be,

  • the audience/recipient in the SAML Assertion does not match what is setup in the SAML IdP in Okta
  • SAML Assertion is not signed, or algorithm mismatch in Okta SAML IdP setup
  • if using an Org with a custom domain URL, a possible mismatch in issuer using either the Okta domain or custom domain
  • sending the SAML Response instead of the Assertion

There is a sample setup that can be found at GitHub - emanor-okta/saml-assertion-flow-with-okta: Sample SAML Assertion Flow
This sample uses an Okta SAML Service App as the external SAML IdP, but running the sample will show what the assertion being sent to Okta looks like and the setup can be viewed.

1 Like