How to generate assertion message for SAP to get access token to resource server?

We are creating a mobile app on OutSystems cloud to access a SAML provider portal within our enterprise, which after correct authentication gives us access to a SAP system.

In a proof of concept we were able to read/write to the SAP Systems with REST api calls, but this time for real development, we encounter the challenge of passing the SAML provider portal and directly be able to read/write, also via REST, to SAP with delegated authorization (without need to re-login on the app when passing through the portal authorization).

As a 1st attempt we have configured the IDP tool from the Forge with our endpoints, get the portal page on the app and after login, we pass the portal login successfully. Next step was, according to oauth 2.0 document we need to get an authorization code and send it back to get an access token to our resource server to read/write data without any further authentication. We could not realize this next step and discussed this with someone with SAP knowledge

We were adviced there was no need for getting authorization code and to generate our own message with userid, assertion (from IDP message log) to get an access token to the resource server by calling the token endpoint. For this e.g. openSSL tools needs to be used to create a certificate. After getting the token we should read/write data back to the SAP system through REST api calls.

Has anyone done this before and can give some help how to realize this? Is this also the way to do it security wise? I hope our intention is clear as described.

Thank you for any help/advice.

Were you able to find an answer for your issue?

Nope. We are trying to setup Federated Single Sign On now, without the need to implement our own Oauth client, and have stranded on the SAP Netweaver portal. Also setting up a SAML url to get the authorized token and making the related machines trusted with certifications and using https protocol. All is still ongoing. At the end in theory, when we have the authorization token, we should be able to directly exchange information with SAP system through theRESTfull API services and eliminating basic authentication.