We have WS-Fed protected non-public systems which are not accessible through the browser and we need to authenticate with them through the backend.
It is very easy to obtain a SAML token through the client’s WS-Fed endpoint when you are making the call through the browser and already are authenticated with Auth0 session cookies.
What options do we have on the backend?
We do have access to the user’s access token.
Can we somehow exchange access token for a SAML token, or call the Auth0 SP WS-Fed endpoint with an access token without a browser session?
We have tried all sorts of combinations with custom databases and social connect app contraptions and mock WS-Fed IdPs but these all boil down to impersonation and due to audit we need a non-impersonated SAML token, one which has been issued by Auth0 without a 2nd leg IdP by using the access token as proof of identity (authentication).