Context:
I am migrating our historical data extraction scripts to a new environment where SAML SSO is enforced for all human users. However, our backend Python workers still need to pull large volumes of data via the Reporting API (/api/v2/analytics/reporting/query). I have configured a Service Account with the necessary scopes (analytics:reporting:read) and am using the standard OAuth 2.0 Client Credentials flow to obtain tokens. The token endpoint (/oauth/token) returns a valid access token successfully.
However, when I attempt to use this token to execute an OData query, I receive a 401 Unauthorized response with the message "error_description": "Invalid or expired access token.". This is confusing because the token was issued seconds ago. I suspect there might be a configuration conflict where the SAML IdP settings are inadvertently blocking or overriding the service account authentication context, even though they should be isolated.
Question:
Is it possible to maintain SAML SSO for browser-based users while allowing programmatic access via OAuth Client Credentials without interference? If so, what specific configuration in the Identity Provider or OAuth settings needs to be adjusted to ensure the service account tokens are validated correctly against the reporting endpoints? I have verified the client ID and secret are correct, and the scope includes analytics:reporting:read.