SAML2 → OAuth Token Exchange Failing: Assertion Invalid (SAML App + OIDC App in Same Okta Org)

1705031 · November 28, 2025, 4:37am

Hello Team,

I am trying to implement an Okta-to-Okta token exchange using the SAML2 assertion grant.
My setup is fully within the same Okta org, and I am using:

A SAML 2.0 Application for user authentication
An OIDC (OAuth) Application to issue tokens
The OIDC app has urn:ietf:params:oauth:grant-type:saml2-bearer enabled

Flow:

User logs in through the SAML 2.0 application (Okta is the IdP).
I receive the SAMLResponse at my ACS endpoint.
I extract the raw SAML Assertion and encoded into base 64 format.
I POST it to the Okta /token endpoint with the SAML2 assertion grant.
Okta returns an assertion error such as “assertion’ is not a valid SAML 2.0 Assertion”.

Problem:
Despite everything appearing correct, Okta still rejects the assertion.

Post		Replies	Views
Getting 'assertion is not a valid SAML 2.0 Assertion' when exchanging IdP SAML Assertion for Okta Auth Token Questions	2	3516	July 25, 2022
Assertion is not a valid SAML 2.0 Assertion error SAML	6	3015	February 15, 2024
Invalid Grant for SAML Assertion Flow SAML	4	63	July 24, 2025
Invalid assertion for SAML Assertion Flow SAML	5	5619	July 7, 2021
Issues setting up SAML 2.0 Assertion Grant Type SAML	2	3697	October 14, 2021

SAML2 → OAuth Token Exchange Failing: Assertion Invalid (SAML App + OIDC App in Same Okta Org)

Related topics