Let me try to explain it:
The flow is
1. Device MDK app authenticate with Mobile Services xsuaa and get $token_mobile.
2. Mobile Services use the login context in step 1 to generate the saml assertion and use it to call the xsuaa of 'provider services' to get $token_provider
Both $token_mobile and $token_provider does NOT contain the IDP attributes
The IDP attributes are in login context in step 2, and in the generated saml assertion in step 2 too.
3. To prove this, you can call Me service in mobile services like:
curl https://<your mobile app host>/mobileservices/application/<appID>/roleservice/application/<appID>/v2/Me -H "Authorization: Bearer $token_mobile"
4. To prove the saml assertion contains the IDP attributes, you can get the $token_provider to call provider's xsuaa userinfo endpoint:
curl 'https://<your xsuaa domain>.authentication.ap21.hana.ondemand.com/userinfo' -i -X GET -H "Authorization: Bearer $backendtoken"
In order to get $backendtoken, you can use https://httpbin.org/headers as your backend url. This endpoint will respond with all request headers include authorization header, which is $backendtoken in this case.
I tried #3 and #4 and they all contains the IDP attributes. And I did NOT update xs-security.json for mobile services.
Please try #3 and/or #4 and let me know the result.
And do you want to inject SAML attributes in JWT token like $token_mobile or $token_provider?
If you're able to include SAML attributes outside mobile services, please attach the entire xs-security.json and any other configuration steps so that I can find out how to do it in mobile service context.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.