Skip to content

Commit 837fbf3

Browse files
PRMerger14PRMerger14
authored
Merge pull request #206695 from Sreyanth/oauth-obo-saml-patch
fix #95133, #89233: clarify about recipient in SAML assertion via oauth2 OBO
2 parents 6e8c2eb + 3ace87f commit 837fbf3

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -213,8 +213,8 @@ A service-to-service request for a SAML assertion contains the following paramet
213213

214214
The response contains a SAML token encoded in UTF8 and Base64url.
215215

216-
- **SubjectConfirmationData for a SAML assertion sourced from an OBO call**: If the target application requires a recipient value in **SubjectConfirmationData**, then the value must be a non-wildcard Reply URL in the resource application configuration.
217-
- **The SubjectConfirmationData node**: The node can't contain an **InResponseTo** attribute since it's not part of a SAML response. The application receiving the SAML token must be able to accept the SAML assertion without an **InResponseTo** attribute.
216+
- **SubjectConfirmationData for a SAML assertion sourced from an OBO call**: If the target application requires a `Recipient` value in `SubjectConfirmationData`, then the value must be configured as the first non-wildcard Reply URL in the resource application configuration. Since the default Reply URL isn't used to determine the `Recipient` value, you might have to reorder the Reply URLs in the application configuration.
217+
- **The SubjectConfirmationData node**: The node can't contain an `InResponseTo` attribute since it's not part of a SAML response. The application receiving the SAML token must be able to accept the SAML assertion without an `InResponseTo` attribute.
218218
- **API permissions**: You have to [add the necessary API permissions](quickstart-configure-app-access-web-apis.md) on the middle-tier application to allow access to the SAML application, so that it can request a token for the `/.default` scope of the SAML application.
219219
- **Consent**: Consent must have been granted to receive a SAML token containing user data on an OAuth flow. For information, see [Gaining consent for the middle-tier application](#gaining-consent-for-the-middle-tier-application) below.
220220

0 commit comments

Comments
 (0)