We’ve recently hardened our tenant security by enforcing SAML SSO for all human users. This works fine for agents logging into the UI, but it’s completely broken our backend integration scripts that rely on the OAuth client credentials flow.
The goal is to keep SAML for people but allow our internal tools to authenticate programmatically using a machine-to-machine token. I have an integration user set up with the necessary API permissions, and the client ID and secret are correct. I’m using the standard /oauth/token endpoint.
Here is the payload I’m sending:
{
"grant_type": "client_credentials",
"client_id": "my-integration-id",
"client_secret": "my-secret"
}
The response is consistently a 401 Unauthorized.
{
"errors": [
{
"message": "Invalid grant type for user. SAML SSO is enforced for this organization.",
"code": "invalid_grant"
}
]
}
I’ve checked the admin settings. “Enforce SSO” is checked. I assumed this only affects the login page for browsers. It seems to be blocking the token endpoint too.
I tried switching to urn:ietf:params:oauth:grant-type:jwt-bearer with a signed JWT, but that requires setting up a custom identity provider configuration which feels like overkill just to get an access token. We just need a simple way to get a bearer token for our scripts without involving a human login session.
Is there a flag to exempt the OAuth token endpoint from the SAML enforcement? Or do I need to create a separate “API-only” user type that isn’t subject to the SSO rule? The documentation is vague on this intersection of SSO enforcement and machine-to-machine auth.