[SalesForce] SSO: Azure AD idp + external API Callout from Apex

Question:

When a user is signed into SF with Azure AD identity provider (SSO), we want to send the current identity (in the form of a Saml assertion, bearer token, etc?) along with the external API callout request, to auth the API call. Do you have any advice, guidance, or tips based on your experience?

Background:

We have watched https://www.pluralsight.com/courses/play-by-play-salesforce-understanding-single-sign-on
We have read numerous, numerous tutorials and documentation pages in Salesforce, Azure, and various blogs.
We have successfully implemented SSO with Azure AD (SAML based).
We are in the process of figuring out how to set up Auth Provider to Azure AD as well, as another approach option.
We are also building the external API – the API could accept OpenID or SAML based auth info – we're in control. We're posting data in the outbound callout to this external API (SF -> API).

Problems:

The issue we're facing is trying to figure out how to send the auth (either Saml assertion or Oauth token from user's session) along with the external API callout request.
There is no clear how-to documentation or example code on how to do this.

Possible approaches we've brainstormed / we're exploring:

Saml to SSO user into SF. This is our fallback approach if none of the others below work. All the code would be in Apex. We would use "client credential" flow to establish machine-to-machine connection between SF and the External API. This does not use the signed in user's credentials though so it's not really achieving the use case of leveraging the current user's logged in session (api call audit trail..). But maybe it's the only way we can make the external callout work?
Saml to SSO user into SF. Then all API external calls happen in a Lightning Web Component (LWC)? There is little or no Apex code here. This would be let the browser and javascript handle saml redirects when invoking the API with a post. This option is all theory at this point and I don't actually know how it would work and I cannot find any sample code.
Saml to SSO user into SF. Then exchange a saml assertion for oauth token: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/19728688-support-for-oauth-2-0-saml-bearer-assertion-flow The code would all be in Apex. I cannot find any sample code to support this approach. And I'm not even sure how to access or build a Saml assertion when in Apex code.
Named credential approach. Could use either Saml SSO or Azure AD Auth Provider (using Open ID Connect) to sign user into SF. Or have both where Saml handles SSO and Auth Provider handles API auth. The Named credential would pass the auth info to external API? I know you can reference an Auth Provider in the Named Credential but I cannot find how to configure Named Credentials with Saml SSO only. Apex code would reference the Named Credential and "Just work"? I cannot find example Apex code though, other than something like this. . . but how is auth set?

    Http http = new Http();
    HttpRequest request = new HttpRequest();
    request.setEndpoint('callout:MY_API_URL/');
    request.setMethod('POST');
    request.setHeader('Content-Type', 'application/json;charset=UTF-8');
    request.setBody(JSON.serialize(orderPayload));
    HttpResponse response = http.send(request);
    return response;

Best Answer

We went with SAML SSO, Azure App registration (when publishing API), Auth Provider in SF (to get token for use with API), and Named Creds (to tie it all together):

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

https://help.salesforce.com/articleView?id=sso_provider_microsoft.htm&type=5

Best Answer

Related Solutions

[SalesForce] How does a user with SAML SSO get redirected to IDP login page

[SalesForce] Access REST API after Single Sign-on (SSO)

Related Topic