- SAML assertion is created and signed with private key of an X509 certificate by client app
- Authorisation server checks signature against public key of certificate to verify authenticity of request
- Allowed scopes are based on approval previously provided by the user through another OAuth flow
- Additional claims can be included in the assertion to communicate extra user or context info to the auth. server
- For Salesforce to act as the authorisation & resource server, a connected app is needed
Documentation
Reference Implementations
This Flow in Context
