Azure AD SSO: Mobile app with OAuth and SAML

Question

Current State: I have a mobile application that signs users into Azure AD via OAuth using the PKCE flow. Once authenticated, the app uses a token to get various forms of data from some APIs.

As the application has evolved, the need to integrate SSO with another web application has come up (and there will be further service providers added as we move forward). It will act as a service provider and it supports IDP initiated authentication via SAML.

Question: once this service provider is configured under the AD tenant, is there a way to exchange or translate our OAuth token for something that can be passed on to the the SAML SP without having to re-authenticate? Am I even thinking about this in the right way? I'm mainly curious if we will need to re-implement authentication in the mobile app to support SAML (i.e. stand up some sort of web-based SAML service that can act as a proxy for the mobile application)? If that route is a necessity to accomplish our requirements, I'm assuming there's a way to still get a valid OAuth or equivalent token we can use to send to our APIs.

Apologies if this is a repeat question, but I couldn't find anything with similar specifics. Thanks in advance!

Answer 1

You can surely use the OAuth 2.0 OBO flow that allows an OAuth2-based application to access web service API endpoints that consume SAML tokens. You can read more here and it has some really good guidance on how to achieve the same: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow

Make sure that you SAML request is well formulated per the details mentioned here: https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol