How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I transform an AM session token to a SAML2 assertion in AM (All versions) using REST STS?

Last updated Jan 16, 2023

The purpose of this article is to provide information on transforming an AM session token to a SAML2 assertion in AM using REST STS (Secure Token Service). It assumes you have already successfully configured a REST STS instance for SAML2 transformations.

1 reader recommends this article

Transforming a session token to a SAML2 token

To perform the transformation, you make a REST call to the following endpoint:


where [instance] is the name of the REST STS instance, including the realm in which it exists. For example: employees/testSTS.

Example using curl

The following example authenticates the demo user to AM in order to generate a valid session token. It then uses the REST STS instance (called testSTS in the employees realm) to transform that session token to a SAML2 assertion:

  1. Authenticate as the demo user. For example:$ curl -X POST -H "X-OpenAM-Username: demo" -H "X-OpenAM-Password: changeit" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" response: { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/am/console", "realm": "/" }
  2. Transform the received session token to a SAML2 assertion by making a REST call to the /rest-sts/employees/testSTS?_action=translate endpoint. For example: $ curl -X POST -H "Content-Type: application/json" -d '{ "input_token_state": { "token_type": "OPENAM", "session_id": "AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" }, "output_token_state": { "token_type": "SAML2", "subject_confirmation": "BEARER", "service_provider_assertion_consumer_service_url": "" } }' '' Example SAML2 assertion returned: {"issued_token":"<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" ID=\"s2a1033a774e80d5f09c8aaebe5fddc337184f950f\" IssueInstant=\"2015-08-03T23:15:18Z\" Version=\"2.0\">\n<saml:Issuer>Example</saml:Issuer><saml:Subject>\n<saml:NameID Format=\"urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified\">demo</saml:NameID><saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\">\n<saml:SubjectConfirmationData NotOnOrAfter=\"2015-08-10T21:55:18Z\" Recipient=\"\"/></saml:SubjectConfirmation>\n</saml:Subject><saml:Conditions NotBefore=\"2015-08-03T23:15:18Z\" NotOnOrAfter=\"2015-08-10T21:55:18Z\">\n<saml:AudienceRestriction>\n<saml:Audience>ExampleEmployeesSP</saml:Audience>\n</saml:AudienceRestriction>\n</saml:Conditions>\n<saml:AuthnStatement AuthnInstant=\"2015-08-03T23:15:18Z\"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion>"}

See Also

How do I add and configure a REST STS instance in AM (All versions) using ssoadm?

Security Token Service

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.