Claim auth from ADFS

Question

I try to connect to a SharePoint Online instance via a WPF application. I have found this article that discribes a possible solution but the problem is that the specific instance has a Active Directory Federation Services (ADFS) in front and I don't know how to get the auth-token. (I can't create a certificate for my application to authentificate against the adfs.)

Anyone who have already done this and can support me with some code snippets?

Answer 1

I've played with Fiddler. Basically the flow goes like this:

• Get a SAML token from ADFS
• Post it to https://login.microsoftonline.com/login.srf (body should be wa=wsignin1.0, wresult=<requestsecuritytokenresponse>…token…</rstr> and wctx=MEST=0&LoginOptions=2&wa=wsignin1%2E0&rpsnv=2&ct=1343219880&rver=6%2E1%2E6206%2E0&wp=MBI&wreply=https%3A%2F%2Fspirit365%2Esharepoint%2Ecom%2F%5Fforms%2Fdefault%2Easpx&id=500046&cbcxt=mai&wlidp=1&guest=1&vv=910&mkt=EN-US&lc=1033&bk=1343219930
• Capture the input hidden named "t" from the Form
• POST that "t" to /_layouts/Authenticate.aspx. That should give you the FedAuth and rtFa cookie.

From that point this is the same as the code here: http://www.wictorwilen.se/Post/How-to-do-active-authentication-to-Office-365-and-SharePoint-Online.aspx

Answer 2

I have found the solution and made a post about it. I also put it on github. You can find my blog post along with the github link at my blog.

I hope this helps you as much as it helped me :-)

Answer 3

I spent a lot of time to finally figure that out. In order to get the binary Token you need to post a message in the following format to the Microsoft Online Security Token Service (STS) site URL:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
    <a:ReplyTo>
      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
    <a:To s:mustUnderstand="1">[toUrl]</a:To>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      [assertion]
    </o:Security>
  </s:Header>
  <s:Body>
    <t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
      <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
        <a:EndpointReference>
          <a:Address>[url]</a:Address>
        </a:EndpointReference>
      </wsp:AppliesTo>
      <t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
      <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
      <t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
    </t:RequestSecurityToken>
  </s:Body>
</s:Envelope>

This message is needed to replace the tokens with the following values:

[toUrl]: Microsoft Online Security Token Service (STS) site URL.
[url]: Your SP site URL
[assertion]: Is assertion XLM token you have got from your Federation service.

After you get the t=... binary token from the response XML, you can post that to your SP default.aspx in order to get cookies.