Re: [Dev] How to exchange a SAML2 bearer token with OAuth2 token

2016-04-18 Thread Gonzalo Valencia 

As far as I remember you need to split the headers in the curl command:
curl -k -d 
"grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer=[...]=PRODUCTION" 
-H "Authorization: Basic 
VWhXczlIN2xPaTlOMGJZM1pfdUswVW41OU93YTpKcTdMNFdzZHg5SER3TGx3TnVERVkxdVl4UUFh" 
-H "Content-Type: application/x-www-form-urlencoded" 
https://localhost:8243/token


El 18/04/2016 a las 4:22, Geesara Prathap escribió:

Hi All,

As an example, I enabled SSO in Dashboard Server and registered the 
portal app with the Identity Server by creating a service provider. So 
I was able to get SAML bearer assertion in SAML response. Then created 
an application in API Manager and  combined the consumer key and 
consumer secret keys as consumer-key:consumer-secret then encoded the 
combined string using base64. After that filtered out SAML bearer 
assertion from SAML response and encoded into base64-URL.


SAML  bearer assertion

IssueInstant="2016-04-17T15:31:00.991Z" Version="2.0" 
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhostxmlns:ds="http://www.w3.org/2000/09/xmldsig#;>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>URI="#iddkjncialbbnlpfjhmkjhebojbpkhfppjglhfga">Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>fk3OExA6WC93w7o7ckZudmP4N3Q=UJyh3pYatemvZVMnLM0CZKb3HWWeCGD2AXJtY+zme4cQXNVtzi+ugHW0dHz+ZbpUykPFdCspYA1K1g/15x4yEH2MY6zPACvqVcfxEgqcrlDVTUSTeKtr+8+4zoYBtJb0usSEui+22vpzlEv3f++7eVAFwWLDODS0QPChpF39hxs7s1l+9zBR4rciSh5hQW5n/Ww56dgS1pzn4DY+slIdBCme7fSRozVEhiihotqEZ+Oa7CSvSZzPycDLEFXfeJDmRp+JD1vE9KIoygHtOr3BFL9H1RIXm+3rO7128XChPL2ZP1zfwBfwmGzRb7mC2iPXw3TTV9pcl9HzQJLFtiyywnFcN0kAbkY0N3mJQgARDbCKf4v2zG7x4MqXroPYAishe3bStkwgkO63xGiMI4XhaQCMGCcQB6TDVpvd7bb9zyYPyXMrqBLMQg4X6jZTOgpRfEUyQEItquEjvjRyV0yPgO9ULBUK5qhmZYOVn5ef7c8kk/ceh4diVoOFdyuYdw7KmLw3RjFgxMzbm8QOyfwhn0f75wiDt7ctokpRSwf3PBkIP7al6cEs3d6aHM9N94NY5ZGSHij+fV5dRZieZMv3zkYcEj90o8eRJk8nDgO5zpo40k/mbfWnAkpEwXdGyMFnK6CWW6oPGbY0qnoLPio4gytdEW+DBIdK+lTFbyzhafM=MIIFkzCCA3sCBAKkVfcwDQYJKoZIhvcNAQEFBQAwgY0xCzAJBgNVBAYTAlNMMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMQ0wCwYDVQQKEwRXU08yMRQwEgYDVQQLEwtFbmdpbmVlcmluZzESMBAGA1UEAxMJbG9jYWxob3N0MSEwHwYJKoZIhvcNAQkBFhJpb3RzZXJ2ZXJAd3NvMi5jb20wHhcNMTUxMjE3MTMxMTA0WhcNMTcxMjE2MTMxMTA0WjCBjTELMAkGA1UEBhMCU0wxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgNVBAoTBFdTTzIxFDASBgNVBAsTC0VuZ2luZWVyaW5nMRIwEAYDVQQDEwlsb2NhbGhvc3QxITAfBgkqhkiG9w0BCQEWEmlvdHNlcnZlckB3c28yLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALkiGVQ9tZOKIi/gD/toV+enq+neqOBGYQ8Fq/ABOWnK2QpGWm81+Rets5GbQ6W//D8C5TOBGqK7z+LAgdmILr1XLkvrXWoan0GPdDJ1wpc2/6XDZvM5f7Y8cmRqVPJv7AF+ImgF9dqv97gYCiujy+nNHd5Nk/60pco2LBV5SyLqqrzKXEnSGrS4zoYWpPeJ9YrXPEkW7A6AxTQK0yU9Ej4TktgafbTueythrLomKiZJj4wPxm2lA2lAZscDdws9NWrI5z/LUVLbUMxrY10Nig1liX5b1mrUk5bb1d2tqwkPrpRILKoOBJtI674SQS3GziiUiCJGIO/EGGRn1AJsC/SvnnEez3WKY/DgJ6102MWK/yWtY8NYHUX2anwMBS7UpT5A4BXdsfBz3R+iPF99FxdAGGsS4GQuuPocZaycLqoPCxpTSSxBsKMUcKpn3yaiQRd6uDuiTNt7odDOQj0Tno7uokh/HILgbzvj9EExDOsdwLVvqYmUHBPeLmiICWXfi4kyH/twPOZtV9eVnfWYx5Kwg+2Y4fIb3q4ABr0hzxaMYHQo6NOukSH1BcdAWiQIXbSFFaTZD8p6OfiZpHcQ59HT/Z8GBlCFL2xkYJFmOhXI/Cu+xrcwqEIInv7d8w3eiNQ7MneomEptLbBk9+kMsP0ubo34oOGHR9qk3Lj580c/AgMBAAEwDQYJKoZIhvcNAQEFBQADggIBADw70g2/wrgzrAM8OXBlthGbCEaXZpKwq9IJN0qu+/l+PNwF7csQhj+qW+zMrWaH1DGWJroaei1+NFFrj/pvp61rF/ZeTPGVJd7puCq++SevqIrzKyAEBtwtpXmcFhBpV/FrQAv3ODOJ3bN2wSRPZHUvARTBB3RaUI06g1jCaBzjDEGoMfSxdr5/Ty2WxTI9u9RlIs3Q52AiOmROtLPiEQZQIqfNO3cxCEWojHxPqVEZA/kQYy+rryj4H0zzSrj7QFlQhsMDw5j8bv9AcvTEGmwp29avsgnceDWinI6lwtd8zqh0ZW9QJdH0BRNCM/EkTlTUHeEg04/sOgOrlWcvEfVxDqNEtbUzU9UFxl0lkQkuRn1UdxZlvhWaFnel5iRC9b7OZvi2mkVujLyxEWlJB1tuyMLQxu6PfabBVODP5V8/+uyiiK/gwrB5rYl8RHxGoznJnI1Y3HVzKlA849CrMBaY5vnhE03cNja7QroPzLmmuXBLk2LbI1lu5nJAqKpBUPMI/IU3pF4Q7VTD2ZANI+ktGgGlM8AK4OJHWOhj8W289pWTHVjG8syPLTsaYkhgLjzZl/g9cUwn/96NJNvzd3dkT+7VgE+BJOLofq25CjZcN1M7MhWdl3vbWNj9vzL0+FCnwca8UecfvFS39PIekIvqbtP+Gw8NiYOUGIllZ0JHFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@carbon.superMethod="urn:oasis:names:tc:SAML:2.0:cm:bearer">InResponseTo="ghmnopmcckmfdgkbncdbfaddoablkleedohalfib" 
NotOnOrAfter="2016-04-17T15:36:00.991Z" 
Recipient="https://localhost:9443/portal/acs"/>Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">InResponseTo="ghmnopmcckmfdgkbncdbfaddoablkleedohalfib" 
NotOnOrAfter="2016-04-17T15:36:00.991Z" 
Recipient="https://localhost:9443/oauth2/token"/>NotBefore="2016-04-17T15:31:00.991Z" 
NotOnOrAfter="2016-04-17T15:36:00.991Z">portalhttps://localhost:9443/oauth2/tokencarbonServerAuthnInstant="2016-04-17T15:31:00.992Z" 
SessionIndex="2211a42e-d554-4e94-a59a-5269b920a3e7">urn:oasis:names:tc:SAML:2.0:ac:classes:Password



To exchange the SAML2 bearer token for an OAuth2.0 access token, this 
is the command I used.


curl -k -d

Re: [Dev] How to exchange a SAML2 bearer token with OAuth2 token

2016-04-17 Thread Geesara Prathap 
This is the issue[1] I am facing right now. Also, there is similar issue[2]
 which was encountered in
APIM 1.10

1. https://gist.github.com/GPrathap/2326db6be8fcfeb09755abb136b4564a
2. https://wso2.org/jira/browse/APIMANAGER-4554


Thanks,
Geesara

2016-04-18 7:52 GMT+05:30 Geesara Prathap :

> Hi All,
>
> As an example, I enabled SSO in Dashboard Server and registered the portal
> app with the Identity Server by creating a service provider. So I was able
> to get SAML bearer assertion in SAML response. Then created an application
> in API Manager and  combined the consumer key and consumer secret keys as
> consumer-key:consumer-secret then encoded the combined string using base64.
> After that filtered out SAML bearer assertion from SAML response and
> encoded into base64-URL.
>
> SAML  bearer assertion
>
>  IssueInstant="2016-04-17T15:31:00.991Z" Version="2.0"
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost xmlns:ds="http://www.w3.org/2000/09/xmldsig#;> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> URI="#iddkjncialbbnlpfjhmkjhebojbpkhfppjglhfga"> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>fk3OExA6WC93w7o7ckZudmP4N3Q=UJyh3pYatemvZVMnLM0CZKb3HWWeCGD2AXJtY+zme4cQXNVtzi+ugHW0dHz+ZbpUykPFdCspYA1K1g/15x4yEH2MY6zPACvqVcfxEgqcrlDVTUSTeKtr+8+4zoYBtJb0usSEui+22vpzlEv3f++7eVAFwWLDODS0QPChpF39hxs7s1l+9zBR4rciSh5hQW5n/Ww56dgS1pzn4DY+slIdBCme7fSRozVEhiihotqEZ+Oa7CSvSZzPycDLEFXfeJDmRp+JD1vE9KIoygHtOr3BFL9H1RIXm+3rO7128XChPL2ZP1zfwBfwmGzRb7mC2iPXw3TTV9pcl9HzQJLFtiyywnFcN0kAbkY0N3mJQgARDbCKf4v2zG7x4MqXroPYAishe3bStkwgkO63xGiMI4XhaQCMGCcQB6TDVpvd7bb9zyYPyXMrqBLMQg4X6jZTOgpRfEUyQEItquEjvjRyV0yPgO9ULBUK5qhmZYOVn5ef7c8kk/ceh4diVoOFdyuYdw7KmLw3RjFgxMzbm8QOyfwhn0f75wiDt7ctokpRSwf3PBkIP7al6cEs3d6aHM9N94NY5ZGSHij+fV5dRZieZMv3zkYcEj90o8eRJk8nDgO5zpo40k/mbfWnAkpEwXdGyMFnK6CWW6oPGbY0qnoLPio4gytdEW+DBIdK+lTFbyzhafM=MIIFkzCCA3sCBAKkVfcwDQYJKoZIhvcNAQEFBQAwgY0xCzAJBgNVBAYTAlNMMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMQ0wCwYDVQQKEwRXU08yMRQwEgYDVQQLEwtFbmdpbmVlcmluZzESMBAGA1UEAxMJbG9jYWxob3N0MSEwHwYJKoZIhvcNAQkBFhJpb3RzZXJ2ZXJAd3NvMi5jb20wHhcNMTUxMjE3MTMxMTA0WhcNMTcxMjE2MTMxMTA0WjCBjTELMAkGA1UEBhMCU0wxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgNVBAoTBFdTTzIxFDASBgNVBAsTC0VuZ2luZWVyaW5nMRIwEAYDVQQDEwlsb2NhbGhvc3QxITAfBgkqhkiG9w0BCQEWEmlvdHNlcnZlckB3c28yLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALkiGVQ9tZOKIi/gD/toV+enq+neqOBGYQ8Fq/ABOWnK2QpGWm81+Rets5GbQ6W//D8C5TOBGqK7z+LAgdmILr1XLkvrXWoan0GPdDJ1wpc2/6XDZvM5f7Y8cmRqVPJv7AF+ImgF9dqv97gYCiujy+nNHd5Nk/60pco2LBV5SyLqqrzKXEnSGrS4zoYWpPeJ9YrXPEkW7A6AxTQK0yU9Ej4TktgafbTueythrLomKiZJj4wPxm2lA2lAZscDdws9NWrI5z/LUVLbUMxrY10Nig1liX5b1mrUk5bb1d2tqwkPrpRILKoOBJtI674SQS3GziiUiCJGIO/EGGRn1AJsC/SvnnEez3WKY/DgJ6102MWK/yWtY8NYHUX2anwMBS7UpT5A4BXdsfBz3R+iPF99FxdAGGsS4GQuuPocZaycLqoPCxpTSSxBsKMUcKpn3yaiQRd6uDuiTNt7odDOQj0Tno7uokh/HILgbzvj9EExDOsdwLVvqYmUHBPeLmiICWXfi4kyH/twPOZtV9eVnfWYx5Kwg+2Y4fIb3q4ABr0hzxaMYHQo6NOukSH1BcdAWiQIXbSFFaTZD8p6OfiZpHcQ59HT/Z8GBlCFL2xkYJFmOhXI/Cu+xrcwqEIInv7d8w3eiNQ7MneomEptLbBk9+kMsP0ubo34oOGHR9qk3Lj580c/AgMBAAEwDQYJKoZIhvcNAQEFBQADggIBADw70g2/wrgzrAM8OXBlthGbCEaXZpKwq9IJN0qu+/l+PNwF7csQhj+qW+zMrWaH1DGWJroaei1+NFFrj/pvp61rF/ZeTPGVJd7puCq++SevqIrzKyAEBtwtpXmcFhBpV/FrQAv3ODOJ3bN2wSRPZHUvARTBB3RaUI06g1jCaBzjDEGoMfSxdr5/Ty2WxTI9u9RlIs3Q52AiOmROtLPiEQZQIqfNO3cxCEWojHxPqVEZA/kQYy+rryj4H0zzSrj7QFlQhsMDw5j8bv9AcvTEGmwp29avsgnceDWinI6lwtd8zqh0ZW9QJdH0BRNCM/EkTlTUHeEg04/sOgOrlWcvEfVxDqNEtbUzU9UFxl0lkQkuRn1UdxZlvhWaFnel5iRC9b7OZvi2mkVujLyxEWlJB1tuyMLQxu6PfabBVODP5V8/+uyiiK/gwrB5rYl8RHxGoznJnI1Y3HVzKlA849CrMBaY5vnhE03cNja7QroPzLmmuXBLk2LbI1lu5nJAqKpBUPMI/IU3pF4Q7VTD2ZANI+ktGgGlM8AK4OJHWOhj8W289pWTHVjG8syPLTsaYkhgLjzZl/g9cUwn/96NJNvzd3dkT+7VgE+BJOLofq25CjZcN1M7MhWdl3vbWNj9vzL0+FCnwca8UecfvFS39PIekIvqbtP+Gw8NiYOUGIllZ0JH Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin@carbon.super Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> InResponseTo="ghmnopmcckmfdgkbncdbfaddoablkleedohalfib"
> NotOnOrAfter="2016-04-17T15:36:00.991Z" Recipient="
> https://localhost:9443/portal/acs"/> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> InResponseTo="ghmnopmcckmfdgkbncdbfaddoablkleedohalfib"
> NotOnOrAfter="2016-04-17T15:36:00.991Z" Recipient="
> https://localhost:9443/oauth2/token"/> NotBefore="2016-04-17T15:31:00.991Z"
> NotOnOrAfter="2016-04-17T15:36:00.991Z">portal
> https://localhost:9443/oauth2/tokencarbonServer AuthnInstant="2016-04-17T15:31:00.992Z"
> SessionIndex="2211a42e-d554-4e94-a59a-5269b920a3e7">urn:oasis:names:tc:SAML:2.0:ac:classes:Password
>
>
> To exchange the SAML2 bearer token for an OAuth2.0 access token, this is
> the command I used.
>
> curl -k -d
>

[Dev] How to exchange a SAML2 bearer token with OAuth2 token

2016-04-17 Thread Geesara Prathap 
Hi All,

As an example, I enabled SSO in Dashboard Server and registered the portal
app with the Identity Server by creating a service provider. So I was able
to get SAML bearer assertion in SAML response. Then created an application
in API Manager and  combined the consumer key and consumer secret keys as
consumer-key:consumer-secret then encoded the combined string using base64.
After that filtered out SAML bearer assertion from SAML response and
encoded into base64-URL.

SAML  bearer assertion

localhosthttp://www.w3.org/2000/09/xmldsig#;>http://www.w3.org/2001/10/xml-exc-c14n#"/>http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>http://www.w3.org/2001/10/xml-exc-c14n#"/>http://www.w3.org/2000/09/xmldsig#sha1"/>fk3OExA6WC93w7o7ckZudmP4N3Q=UJyh3pYatemvZVMnLM0CZKb3HWWeCGD2AXJtY+zme4cQXNVtzi+ugHW0dHz+ZbpUykPFdCspYA1K1g/15x4yEH2MY6zPACvqVcfxEgqcrlDVTUSTeKtr+8+4zoYBtJb0usSEui+22vpzlEv3f++7eVAFwWLDODS0QPChpF39hxs7s1l+9zBR4rciSh5hQW5n/Ww56dgS1pzn4DY+slIdBCme7fSRozVEhiihotqEZ+Oa7CSvSZzPycDLEFXfeJDmRp+JD1vE9KIoygHtOr3BFL9H1RIXm+3rO7128XChPL2ZP1zfwBfwmGzRb7mC2iPXw3TTV9pcl9HzQJLFtiyywnFcN0kAbkY0N3mJQgARDbCKf4v2zG7x4MqXroPYAishe3bStkwgkO63xGiMI4XhaQCMGCcQB6TDVpvd7bb9zyYPyXMrqBLMQg4X6jZTOgpRfEUyQEItquEjvjRyV0yPgO9ULBUK5qhmZYOVn5ef7c8kk/ceh4diVoOFdyuYdw7KmLw3RjFgxMzbm8QOyfwhn0f75wiDt7ctokpRSwf3PBkIP7al6cEs3d6aHM9N94NY5ZGSHij+fV5dRZieZMv3zkYcEj90o8eRJk8nDgO5zpo40k/mbfWnAkpEwXdGyMFnK6CWW6oPGbY0qnoLPio4gytdEW+DBIdK+lTFbyzhafM=MIIFkzCCA3sCBAKkVfcwDQYJKoZIhvcNAQEFBQAwgY0xCzAJBgNVBAYTAlNMMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMQ0wCwYDVQQKEwRXU08yMRQwEgYDVQQLEwtFbmdpbmVlcmluZzESMBAGA1UEAxMJbG9jYWxob3N0MSEwHwYJKoZIhvcNAQkBFhJpb3RzZXJ2ZXJAd3NvMi5jb20wHhcNMTUxMjE3MTMxMTA0WhcNMTcxMjE2MTMxMTA0WjCBjTELMAkGA1UEBhMCU0wxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgNVBAoTBFdTTzIxFDASBgNVBAsTC0VuZ2luZWVyaW5nMRIwEAYDVQQDEwlsb2NhbGhvc3QxITAfBgkqhkiG9w0BCQEWEmlvdHNlcnZlckB3c28yLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALkiGVQ9tZOKIi/gD/toV+enq+neqOBGYQ8Fq/ABOWnK2QpGWm81+Rets5GbQ6W//D8C5TOBGqK7z+LAgdmILr1XLkvrXWoan0GPdDJ1wpc2/6XDZvM5f7Y8cmRqVPJv7AF+ImgF9dqv97gYCiujy+nNHd5Nk/60pco2LBV5SyLqqrzKXEnSGrS4zoYWpPeJ9YrXPEkW7A6AxTQK0yU9Ej4TktgafbTueythrLomKiZJj4wPxm2lA2lAZscDdws9NWrI5z/LUVLbUMxrY10Nig1liX5b1mrUk5bb1d2tqwkPrpRILKoOBJtI674SQS3GziiUiCJGIO/EGGRn1AJsC/SvnnEez3WKY/DgJ6102MWK/yWtY8NYHUX2anwMBS7UpT5A4BXdsfBz3R+iPF99FxdAGGsS4GQuuPocZaycLqoPCxpTSSxBsKMUcKpn3yaiQRd6uDuiTNt7odDOQj0Tno7uokh/HILgbzvj9EExDOsdwLVvqYmUHBPeLmiICWXfi4kyH/twPOZtV9eVnfWYx5Kwg+2Y4fIb3q4ABr0hzxaMYHQo6NOukSH1BcdAWiQIXbSFFaTZD8p6OfiZpHcQ59HT/Z8GBlCFL2xkYJFmOhXI/Cu+xrcwqEIInv7d8w3eiNQ7MneomEptLbBk9+kMsP0ubo34oOGHR9qk3Lj580c/AgMBAAEwDQYJKoZIhvcNAQEFBQADggIBADw70g2/wrgzrAM8OXBlthGbCEaXZpKwq9IJN0qu+/l+PNwF7csQhj+qW+zMrWaH1DGWJroaei1+NFFrj/pvp61rF/ZeTPGVJd7puCq++SevqIrzKyAEBtwtpXmcFhBpV/FrQAv3ODOJ3bN2wSRPZHUvARTBB3RaUI06g1jCaBzjDEGoMfSxdr5/Ty2WxTI9u9RlIs3Q52AiOmROtLPiEQZQIqfNO3cxCEWojHxPqVEZA/kQYy+rryj4H0zzSrj7QFlQhsMDw5j8bv9AcvTEGmwp29avsgnceDWinI6lwtd8zqh0ZW9QJdH0BRNCM/EkTlTUHeEg04/sOgOrlWcvEfVxDqNEtbUzU9UFxl0lkQkuRn1UdxZlvhWaFnel5iRC9b7OZvi2mkVujLyxEWlJB1tuyMLQxu6PfabBVODP5V8/+uyiiK/gwrB5rYl8RHxGoznJnI1Y3HVzKlA849CrMBaY5vnhE03cNja7QroPzLmmuXBLk2LbI1lu5nJAqKpBUPMI/IU3pF4Q7VTD2ZANI+ktGgGlM8AK4OJHWOhj8W289pWTHVjG8syPLTsaYkhgLjzZl/g9cUwn/96NJNvzd3dkT+7VgE+BJOLofq25CjZcN1M7MhWdl3vbWNj9vzL0+FCnwca8UecfvFS39PIekIvqbtP+Gw8NiYOUGIllZ0JHadmin@carbon.superhttps://localhost:9443/portal/acs"/>https://localhost:9443/oauth2/token"/>portal
https://localhost:9443/oauth2/tokencarbonServerurn:oasis:names:tc:SAML:2.0:ac:classes:Password


To exchange the SAML2 bearer token for an OAuth2.0 access token, this is
the command I used.

curl -k -d