First published on TECHNET on Feb 07, 2018
This post is a contribution from Vitaly Lyamin, an engineer with the SharePoint Developer Support team
We often see issues that have to do with actively authenticating to SharePoint Online for the purpose of consuming API’s and services (WCF and ASMX). There are 2 flavors of authentication - one with a Custom STS and one without (Using MSO STS only). The end goal is to retrieve the authentication cookie (SPOIDCRL cookie).
Step 1: Getting the Custom STS active endpoint URL
Microsoft Online provides a way to discover the custom STS authentication URL via the “GetUserRealm.srf” endpoint. The “STSAuthURL” node in the XML response contains the value.
Step 2: Authenticating to the STS and Retrieving the BinarySecurityToken
The default MSO endpoint https://login.microsoftonline.com/rst2.srf will either take the *.onmicrosoft.com user credentials or the assertion from the custom STS.
If there’s a custom STS (as discovered in previous step), that endpoint needs to be hit first to retrieve the assertion.
The SAML response from rst2.srf endpoint contains the BinarySecurityToken which is retrieved and used in the next step.
https://login.microsoftonline.com/rst2.srf (default MSO endpoint)
https://#ADFSHOST#/adfs/services/trust/2005/usernamemixed (username/password ADFS endpoint)
https://#ADFSHOST#/adfs/services/trust/2005/windowstransport (integrated Windows ADFS endpoint)
Step 3: Get the SPOIDCRL Cookie
Now that we have the BinarySecurityToken, we can pass the value to the https://TENANT.sharepoint.com/_vti_bin/idcrl.svc endpoint in the Authorization header.
Authorization Header with BinarySecurityToken
Authorization: BPOSIDCRL t=*
The response from the idcrl.svc sets the SPOIDCRL cookie which can be programmatically retrieved and used in subsequent API calls.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.