Skip to end of metadata
Go to start of metadata


Once SAML SSO is performed, the Service Provider (SP) has access to the SAML Assertion/Token for the user. Now the SP should be able to call a REST service with the SAML token and obtain a OAuth token.


  • RESTEasy endpoint is required that accepts the SAML Token as a bearer token. More information on the OAuth bearer tokens is available at
  • The endpoint should be secured.
    • PicketLink has a login module as of v2.5.0.Final called as SAMLBearerTokenModule.
    • The login module will validate the SAML Bearer Token and create a Principal for use by the REST Endpoint.
  • REST Endpoint creates an OAuth Token out of the principal and sends back to the requesting client.
    • Endpoint should store the OAuth Token along with a reference to the SAML token.


RESTEasy (Any)

PicketLink v2.5.0.Final and above

How should the OAuth Token Look Like?


  1. Use UUID
  2. Convert the SAML Token into base64 encoded string.

Final Decision

All encompassing PicketLink Quickstart.


oauth oauth Delete
oauth_saml oauth_saml Delete
resteasy resteasy Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.