Retrieving a Refresh Token on SAML IDP-Initiated SSO

Problem statement

Unable to retrieve a Refresh Token when calling the /token endpoint after an IdP-Initiated SAML flow. How can this be configured to retrieve a Refresh Token successfully?

Solution

When trying to retrieve a Refresh Token on a SAML IDP-Initiated SSO, the application must be created in a new custom handler as specified in this example in the Configure IdP-Initiated SAML Sign-on to OIDC Apps documentation.

In this example, it uses a “startlogin” method where it captures the “connection” parameter:

let conn = myURL.searchParams.get("connection");

With this parameter, a new login transaction is issued to the IdP.

This is required because OIDC does not support IDp-initiated flows, so a workaround is needed; more information is documented in OpenID Connect IdP-initiated flow

Requesting refresh_tokens requires that an offline_access scope is included when initiating an authentication request through the /authorize endpoint. Offline Access should be initiated in the API. For more details and an example, refer to Get Refresh Tokens

An IdP-Initiated flow will not use the /authorize endpoint, hence the need to trigger a login transaction with the new handler. Following these steps when using an IdP-Initiated SAML SSO will ensure a new login transaction is triggered where the /authorize request is called with proper parameters to return a refresh token.