We currently have a use case where we need to authenticate a user outside of the web authentication user journey flows implemented inside of AM.
This is required for Desktop applications where they make a WebService call to authenticate a user using username and password. The user exists in AM identity store.
The authentication is performed using the email address and not the userid.
If the authentication is successful then we would need to load the user profile data such as firstname, name and LLTS and return a SAML token to the calling client.
I have used the Password Grant Flow to authenticate a user but do not know how to then get the user profile data.
Please can you recommend how this can be achieved?
to minimise network traffic I would like to implement this using minimal calls.
Is this summary of your situation accurate:
You are calling the /oauth2/access_token endpoint and using the Resource Owner Password Grant (grant_type=password) to authenticate a user and receive an access token. You would like to be able to generate a SAML assertion containing - among other things - the name and last login timestamp of the user authenticated as the resource owner.
In general, this sounds like a use case for the Security Token Service (STS) which is documented at Security Token Service (STS) :: AM 7.3.0. It’s been a while since I played with this service, but it sounds like this would suit your needs. If you don’t actually need the access token that you are generating in your initial OAuth step you could even bypass that and just use the user’s credentials when calling the STS. If you do need the access token, you could have that step also request an id token and use that as an input to the STS.
I’d be curious to know more about the overall use case driving this, specifically why it needs to be SAML and why it needs to be done outside of AM’s authentication journeys. With the information that we have at this time, however, I do feel like using the STS will provide you with what you are looking for.