Do you get an error at the Verify Access token policy in your preflow? You can see this from the trace in the UI.

Hi @veeraraghavendra

The reason you receive a 401 unauthorized is because your samlsampleidpproxy-rev1-2017-06-07 has the VerifyAccessToken policy in the preflow, which means that your request must include an access token in the Authorization: Bearer token header. The request that you posted does not have that header included in it.

In order for your request to succeed, you have two options:

1) Disable/remove the VerifyAccessToken policy in the preflow.

2) Obtain an access token by sending a client credentials request to your OAuth proxy to generate an access token first. Then include that access token in the Authorization: Bearer token header on the request. So the updated request is shown below. Make sure to include the access_token.

curl -H 'Authorization: Bearer access_token' 'http://apitechbasics-prod.apigee.net/samlsampleidpproxy/GenerateIdPToken?response_type=token&redirection_uri=http://localhost:2999&client_id=4hCaENG9MyJL08T3aOQaLImj8TnlxCKA'

I recommend the first option because the purpose of SAML IDP proxy is to generate a SAML assertion and an access token, given that the OAuth v2 (generate access token) policy is able to verify the client ID and the redirect URI.

All the other steps that you completed seem to be correct.

I'll quickly summarize this community article and explain how it works.

1) The SAML IDP proxy has two policies, a) Generate SAML, b) OAuth v2 - Generate Access Token (implicit grant).

• This means that this proxy generates a SAML assertion first, then associates that assertion with the access token ONLY IF it is able to successfully validate the redirect URI and the client ID provided in the query parameters. Therefore, you don't need to include the VerifyAccessToken policy on the preflow within this proxy, because this flow will generate the access token for you.
• This proxy generates a SAML assertion without validating the user's credentials, but this is ok, because that article is demonstrating how to generate a SAML assertion and associate it with an access token.
• Keep in mind that you typically generate a SAML assertion given that a user has provided valid credentials and your proxy has validated the user's credentials first. (I have a repo that shows how to do this with Apigee BaaS and I'm working on a community post for it as well).
• The idea here is to return an OAuth 2 access token to your client, however, your target server may require a SAML assertion. Subsequent requests to Apigee Edge will require the access token, but Apigee could swap the access token for the SAML assertion stored in the token and forward that to your target service.

2) The SAML SP proxy is for you to verify the access token generated by the SAML IDP proxy. When the Verify Access Token policy executes, you can see in the trace that the SAML assertion is associated to the access token.

• Now that the access token is validated it can swap the access token for the SAML assertion and send that to your target service.