Client A has an account with KaseyaBMS. SaaS Provider B has an application that can write back comments into Client A's Kaseya account using their API detailed here: https://bmsemea.kaseya.com/api
There are two ways to access the API, username and password or SAML Response. A is not happy about having to hand over their username and password to B. Kaseya doesn't provide an OAuth style access model, at least not on this API.
I have created an app within OneLogin (SSO Provider) which grants access to Kaseya without having to use the client's credentials. There's another app within the same OneLogin account which the client can use to log into B the same way.
Kaseya expects a SAML response containing the Company Name and Email. OneLogin provides an API endpoint for generating this SAML Response: https://developers.onelogin.com/api-docs/1/saml-assertions/generate-saml-assertion
But it expects to be provided with a username and password [for Client A's account with OneLogin]. This seems to just shift the requirement to pass the A's u/p for Kaseya to B to passing A's OneLogin u/p to B - a combination that would still permit B to log in to Kaseya.
What I have so far is a sequence of API calls.
The problem is that step 2 requires passing a username and password in the request, something I don't understand the necessity for since I already have access to OneLogin using the secret information given me by OneLogin.
Is what I'm trying to do even possible or am I completely misunderstanding the technology?
A further wrinkle to this is that Client A might not use OneLogin as their SSO provider. I presume any other SSO provider I'm expected to implement will have similar systems for adding custom fields to assertions so OL should be adequate for development purposes.