1. The developer creates a connected app and registers an X509 Certificate. This certificate corresponds to the private key of the app. When the connected app is saved, a consumer key (OAuth client_id) is generated and assigned to the app.
2. The developer writes an app that generates a SAML assertion and signs it with the private key.
3. The SAML Bearer assertion is posted to the token endpointhttps://login.salesforce.com/services/oauth2/token,https://test.salesforce.com/services/oauth2/token, or https://your_community_URL/services/oauth2/token (if implementing for a community).
4. The token endpoint validates the signature using the certificate registered by the developer.
5. The token endpoint validates the audience, issuer, subject, and validity of the assertion.
6. Assuming that the assertion is valid and that the user or admin authorized the app previously, Salesforce issues an access token.Note A refresh_token is never issued in this flow.