Problem statement
Unable to retrieve a Refresh Token when calling the /token endpoint after an IdP-Initiated SAML flow. How can this be configured to retrieve a Refresh Token successfully?
Solution
When trying to retrieve a Refresh Token on a SAML IDP-Initiated SSO, the application must be created in a new custom handler as specified in this example in the Configure IdP-Initiated SAML Sign-on to OIDC Apps documentation.
In this example, it uses a “startlogin” method where it captures the “connection” parameter:
let conn = myURL.searchParams.get("connection");
With this parameter, a new login transaction is issued to the IdP.
This is required because OIDC does not support IDp-initiated flows, so a workaround is needed; more information is documented in OpenID Connect IdP-initiated flow
Requesting refresh_tokens requires that an offline_access scope is included when initiating an authentication request through the /authorize endpoint. Offline Access should be initiated in the API. For more details and an example, refer to Get Refresh Tokens
An IdP-Initiated flow will not use the /authorize endpoint, hence the need to trigger a login transaction with the new handler. Following these steps when using an IdP-Initiated SAML SSO will ensure a new login transaction is triggered where the /authorize request is called with proper parameters to return a refresh token.