%3CLINGO-SUB%20id%3D%22lingo-sub-510052%22%20slang%3D%22en-US%22%3ESharePoint%20Online%20Active%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-510052%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20TECHNET%20on%20Feb%2007%2C%202018%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20This%20post%20is%20a%20contribution%20from%20Vitaly%20Lyamin%2C%20an%20engineer%20with%20the%20SharePoint%20Developer%20Support%20team%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20We%20often%20see%20issues%20that%20have%20to%20do%20with%20actively%20authenticating%20to%20SharePoint%20Online%20for%20the%20purpose%20of%20consuming%20API%E2%80%99s%20and%20services%20(WCF%20and%20ASMX).%20There%20are%202%20flavors%20of%20authentication%20-%20one%20with%20a%20Custom%20STS%20and%20one%20without%20(Using%20MSO%20STS%20only).%20The%20end%20goal%20is%20to%20retrieve%20the%20authentication%20cookie%20(SPOIDCRL%20cookie).%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSTRONG%3EStep%201%3A%20Getting%20the%20Custom%20STS%20active%20endpoint%20URL%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20Microsoft%20Online%20provides%20a%20way%20to%20discover%20the%20custom%20STS%20authentication%20URL%20via%20the%20%E2%80%9CGetUserRealm.srf%E2%80%9D%20endpoint.%20The%20%E2%80%9CSTSAuthURL%E2%80%9D%20node%20in%20the%20XML%20response%20contains%20the%20value.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSTRONG%3EStep%202%3A%20Authenticating%20to%20the%20STS%20and%20Retrieving%20the%20BinarySecurityToken%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20The%20default%20MSO%20endpoint%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Frst2.srf%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Frst2.srf%3C%2FA%3E%20will%20either%20take%20the%20*.onmicrosoft.com%20user%20credentials%20or%20the%20assertion%20from%20the%20custom%20STS.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20If%20there%E2%80%99s%20a%20custom%20STS%20(as%20discovered%20in%20previous%20step)%2C%20that%20endpoint%20needs%20to%20be%20hit%20first%20to%20retrieve%20the%20assertion.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20The%20SAML%20response%20from%20rst2.srf%20endpoint%20contains%20the%20BinarySecurityToken%20which%20is%20retrieved%20and%20used%20in%20the%20next%20step.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20STS%20Endpoints%20%3CBR%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Frst2.srf%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Frst2.srf%3C%2FA%3E%20(default%20MSO%20endpoint)%20%3CBR%20%2F%3E%20https%3A%2F%2F%23ADFSHOST%23%2Fadfs%2Fservices%2Ftrust%2F2005%2Fusernamemixed%20(username%2Fpassword%20ADFS%20endpoint)%20%3CBR%20%2F%3E%20https%3A%2F%2F%23ADFSHOST%23%2Fadfs%2Fservices%2Ftrust%2F2005%2Fwindowstransport%20(integrated%20Windows%20ADFS%20endpoint)%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSTRONG%3E%20Step%203%3A%20Get%20the%20SPOIDCRL%20Cookie%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20Now%20that%20we%20have%20the%20BinarySecurityToken%2C%20we%20can%20pass%20the%20value%20to%20the%20%3CA%20href%3D%22https%3A%2F%2FTENANT.sharepoint.com%2F_vti_bin%2Fidcrl.svc%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2FTENANT.sharepoint.com%2F_vti_bin%2Fidcrl.svc%3C%2FA%3E%20endpoint%20in%20the%20Authorization%20header.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Authorization%20Header%20with%20BinarySecurityToken%20%3CBR%20%2F%3E%20Authorization%3A%20BPOSIDCRL%20t%3D*%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20The%20response%20from%20the%20idcrl.svc%20sets%20the%20SPOIDCRL%20cookie%20which%20can%20be%20programmatically%20retrieved%20and%20used%20in%20subsequent%20API%20calls.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CSTRONG%3E%20PowerShell%20Script%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CDIV%3E%3CBR%20%2F%3E%20%26lt%3B%23%20%3CBR%20%2F%3E%20.Synopsis%20%3CBR%20%2F%3E%20Retrieve%20SPOIDCR%20cookie%20for%20SharePoint%20Online.%20%3CBR%20%2F%3E%20.Description%20%3CBR%20%2F%3E%20Authenticates%20to%20the%20sts%20and%20retrieves%20the%20SPOIDCR%20cookie%20for%20SharePoint%20Online.%20%3CBR%20%2F%3E%20Will%20use%20the%20custom%20IDP%20if%20one%20has%20been%20setup.%20%3CBR%20%2F%3E%20Optionally%2C%20can%20use%20integrated%20credentials%20(when%20integrated%20is%20set%20to%20true)%20with%20ADFS%20using%20the%20windowsmixed%20endpoint.%20%3CBR%20%2F%3E%20Results%20are%20formattable%20as%20XML%2C%20JSON%2C%20KEYVALUE%2C%20and%20by%20line.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Makes%20global%20variables%20avaiable%20at%20the%20end%20of%20the%20run.%20%3CBR%20%2F%3E%20%24spoidcrl%20contains%20the%20SPOIDCRL%20cookie%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20.Example%20%3CBR%20%2F%3E%20The%20following%20returns%20the%20SPOIDCRL%20cookie%20value%20provided%20a%20username%20and%20password.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20PS%26gt%3B%20.%5Cspoidcrl.ps1%20-url%20%3CA%20href%3D%22https%3A%2F%2Fcontoso.sharepoint.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcontoso.sharepoint.com%3C%2FA%3E%20-username%20user%40contoso.com%20-password%20ABCDEFG%20%3CBR%20%2F%3E%20.Example%20%3CBR%20%2F%3E%20The%20following%20returns%20the%20SPOIDCRL%20cookie%20value%20using%20integrated%20windows%20credentials.%20Applies%20only%20to%20ADFS.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20PS%26gt%3B%20.%5Cspoidcrl.ps1%20-url%20%3CA%20href%3D%22https%3A%2F%2Fcontoso.sharepoint.com%2Fsites%2Fsite1%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcontoso.sharepoint.com%2Fsites%2Fsite1%3C%2FA%3E%20-integrated%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20.Example%20%3CBR%20%2F%3E%20The%20following%20saves%20the%20SPOIDCRL%20cookie%20value%20using%20integrated%20windows%20credentials.%20Applies%20only%20to%20ADFS.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20PS%26gt%3B%20.%5Cspoidcrl.ps1%20-url%20%3CA%20href%3D%22https%3A%2F%2Fcontoso.sharepoint.com%2Fsites%2Fsite1%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcontoso.sharepoint.com%2Fsites%2Fsite1%3C%2FA%3E%20-integrated%20-format%20%22XML%22%20%7C%20Out-File%20%22c%3A%5Ctemp%5Cspoidcr.txt%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20.PARAMETER%20url%20%3CBR%20%2F%3E%20Tenant%20url%20(e.g.%20contoso.sharepoint.com)%20%3CBR%20%2F%3E%20.PARAMETER%20username%20%3CBR%20%2F%3E%20The%20username%20to%20login%20with.%20(e.g.%20user%40contoso.com%20or%20user%40contoso.onmicrosoft.com)%20%3CBR%20%2F%3E%20.PARAMETER%20password%20%3CBR%20%2F%3E%20The%20password%20to%20login%20with.%20%3CBR%20%2F%3E%20.PARAMETER%20integrated%20%3CBR%20%2F%3E%20Whether%20to%20use%20integrated%20credentials%20(user%20running%20PowerShell)%20instead%20of%20explicit%20credentials.%20%3CBR%20%2F%3E%20Needs%20to%20be%20supported%20by%20ADFS.%20%3CBR%20%2F%3E%20.PARAMETER%20format%20%3CBR%20%2F%3E%20How%20to%20format%20the%20output.%20Options%20include%3A%20XML%2C%20JSON%2C%20KEYVALUE%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%23%26gt%3B%20%3CBR%20%2F%3E%20%5BCmdletBinding()%5D%20%3CBR%20%2F%3E%20Param(%20%3CBR%20%2F%3E%20%5BParameter(Mandatory%3D%24true)%5D%20%3CBR%20%2F%3E%20%5Bstring%5D%24url%2C%20%3CBR%20%2F%3E%20%5BParameter(Mandatory%3D%24false)%5D%20%3CBR%20%2F%3E%20%5Bstring%5D%24username%2C%20%3CBR%20%2F%3E%20%5BParameter(Mandatory%3D%24false)%5D%20%3CBR%20%2F%3E%20%5Bstring%5D%24password%2C%20%3CBR%20%2F%3E%20%5BParameter(Mandatory%3D%24false)%5D%20%3CBR%20%2F%3E%20%5Bswitch%5D%24integrated%20%3D%20%24false%2C%20%3CBR%20%2F%3E%20%5BParameter(Mandatory%3D%24false)%5D%20%3CBR%20%2F%3E%20%5Bstring%5D%24format%20%3CBR%20%2F%3E%20)%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24statusText%20%3D%20New-Object%20System.Text.StringBuilder%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20function%20log(%24info)%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20if(%5Bstring%5D%3A%3AIsNullOrEmpty(%24info))%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20%24info%20%3D%20%22%22%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%5Bvoid%5D%24statusText.AppendLine(%24info)%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20try%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20if%20(!%5Buri%5D%3A%3AIsWellFormedUriString(%24url%2C%20%5BUriKind%5D%3A%3AAbsolute))%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20throw%20%22Parameter%20'url'%20is%20not%20a%20valid%20URI.%22%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20else%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20%24uri%20%3D%20%5Buri%5D%3A%3Anew(%24url)%20%3CBR%20%2F%3E%20%24tenant%20%3D%20%24uri.Authority%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20if%20(%24tenant.EndsWith(%22sharepoint.com%22%2C%20%5BSystem.StringComparison%5D%3A%3AOrdinalIgnoreCase))%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20%24msoDomain%20%3D%20%22sharepoint.com%22%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20else%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20%24msoDomain%20%3D%20%24tenant%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20if%20(%24integrated.ToBool())%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20%5BSystem.Reflection.Assembly%5D%3A%3ALoadWithPartialName(%22System.DirectoryServices%22)%20%7C%20out-null%20%3CBR%20%2F%3E%20%5BSystem.Reflection.Assembly%5D%3A%3ALoadWithPartialName(%22System.DirectoryServices.AccountManagement%22)%20%7C%20out-null%20%3CBR%20%2F%3E%20%24username%20%3D%20%5BSystem.DirectoryServices.AccountManagement.UserPrincipal%5D%3A%3ACurrent.UserPrincipalName%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20elseif%20(%5Bstring%5D%3A%3AIsNullOrWhiteSpace(%24username)%20-or%20%5Bstring%5D%3A%3AIsNullOrWhiteSpace(%24password))%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20%24credential%20%3D%20Get-Credential%20-UserName%20%24username%20-Message%20%22Enter%20credentials%22%20%3CBR%20%2F%3E%20%24username%20%3D%20%24credential.UserName%20%3CBR%20%2F%3E%20%24password%20%3D%20%24credential.GetNetworkCredential().Password%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24contextInfoUrl%20%3D%20%24url.TrimEnd('%2F')%20%2B%20%22%2F_api%2Fcontextinfo%22%20%3CBR%20%2F%3E%20%24getRealmUrl%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2FGetUserRealm.srf%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2FGetUserRealm.srf%3C%2FA%3E%22%20%3CBR%20%2F%3E%20%24realm%20%3D%20%22urn%3Afederation%3AMicrosoftOnline%22%20%3CBR%20%2F%3E%20%24msoStsAuthUrl%20%3D%20%22%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Frst2.srf%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Frst2.srf%3C%2FA%3E%22%20%3CBR%20%2F%3E%20%24idcrlEndpoint%20%3D%20%22https%3A%2F%2F%24tenant%2F_vti_bin%2Fidcrl.svc%2F%22%20%3CBR%20%2F%3E%20%24username%20%3D%20%5BSystem.Security.SecurityElement%5D%3A%3AEscape(%24username)%20%3CBR%20%2F%3E%20%24password%20%3D%20%5BSystem.Security.SecurityElement%5D%3A%3AEscape(%24password)%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%23%20Custom%20STS%20integrated%20authentication%20envelope%20format%20index%20info%20%3CBR%20%2F%3E%20%23%200%3A%20message%20id%20-%20unique%20guid%20%3CBR%20%2F%3E%20%23%201%3A%20custom%20STS%20auth%20url%20%3CBR%20%2F%3E%20%23%202%3A%20realm%20%3CBR%20%2F%3E%20%24customStsSamlIntegratedRequestFormat%20%3D%20%22%3CENVELOPE%20s%3D%22%60%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%3C%2FA%3E%60%22%20xmlns%3Aa%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%60%26quot%3B%26gt%3B%26lt%3Bs%3AHeader%26gt%3B%26lt%3Ba%3AAction%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%60%22%26gt%3B%3CHEADER%3E%3CACTION%3E%3C%2FACTION%3E%3C%2FHEADER%3E%3C%2FA%3E%20s%3AmustUnderstand%3D%60%221%60%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FRST%2FIssue%26lt%3B%2Fa%3AAction%26gt%3B%26lt%3Ba%3AMessageID%26gt%3Burn%3Auuid%3A%7B0%7D%26lt%3B%2Fa%3AMessageID%26gt%3B%26lt%3Ba%3AReplyTo%26gt%3B%26lt%3Ba%3AAddress%26gt%3Bhttp%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%2Fanonymous%26lt%3B%2Fa%3AAddress%26gt%3B%26lt%3B%2Fa%3AReplyTo%26gt%3B%26lt%3Ba%3ATo%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FRST%2FIssue%3C%2FA%3E%3C%2FENVELOPE%3E%3CMESSAGEID%3Eurn%3Auuid%3A%7B0%7D%3C%2FMESSAGEID%3E%3CREPLYTO%3E%3CADDRESS%3E%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%2Fanonymous%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%2Fanonymous%3C%2FA%3E%3C%2FADDRESS%3E%3C%2FREPLYTO%3E%3CTO%3E%20s%3AmustUnderstand%3D%60%221%60%22%26gt%3B%7B1%7D%3C%2FTO%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CREQUESTSECURITYTOKEN%20t%3D%22%60%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%60%26quot%3B%26gt%3B%26lt%3Bwsp%3AAppliesTo%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%3C%2FA%3E%60%22%26gt%3B%3CAPPLIESTO%3E%20xmlns%3Awsp%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%60%26quot%3B%26gt%3B%26lt%3Bwsa%3AEndpointReference%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%60%22%26gt%3B%3CENDPOINTREFERENCE%3E%3C%2FENDPOINTREFERENCE%3E%3C%2FA%3E%20xmlns%3Awsa%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%60%26quot%3B%26gt%3B%26lt%3Bwsa%3AAddress%26gt%3B%7B2%7D%26lt%3B%2Fwsa%3AAddress%26gt%3B%26lt%3B%2Fwsa%3AEndpointReference%26gt%3B%26lt%3B%2Fwsp%3AAppliesTo%26gt%3B%26lt%3Bt%3AKeyType%26gt%3Bhttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2FNoProofKey%26lt%3B%2Ft%3AKeyType%26gt%3B%26lt%3Bt%3ARequestType%26gt%3Bhttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FIssue%26lt%3B%2Ft%3ARequestType%26gt%3B%26lt%3B%2Ft%3ARequestSecurityToken%26gt%3B%26lt%3B%2Fs%3ABody%26gt%3B%26lt%3B%2Fs%3AEnvelope%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%60%22%26gt%3B%3CADDRESS%3E%7B2%7D%3C%2FADDRESS%3E%3C%2FA%3E%3C%2FAPPLIESTO%3E%3C%2FREQUESTSECURITYTOKEN%3E%3CKEYTYPE%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2FNoProofKey%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2FNoProofKey%3C%2FA%3E%3C%2FKEYTYPE%3E%3CREQUESTTYPE%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FIssue%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FIssue%3C%2FA%3E%3C%2FREQUESTTYPE%3E%26gt%3B%22%3B%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%23%20custom%20STS%20envelope%20format%20index%20info%20%3CBR%20%2F%3E%20%23%20%7B0%7D%3A%20ADFS%20url%2C%20such%20as%20%3CA%20href%3D%22https%3A%2F%2Fcorp.sts.contoso.com%2Fadfs%2Fservices%2Ftrust%2F2005%2Fusernamemixed%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcorp.sts.contoso.com%2Fadfs%2Fservices%2Ftrust%2F2005%2Fusernamemixed%3C%2FA%3E%2C%20its%20value%20comes%20from%20the%20response%20in%20GetUserRealm%20request.%20%3CBR%20%2F%3E%20%23%20%7B1%7D%3A%20MessageId%2C%20it%20could%20be%20an%20arbitrary%20guid%20%3CBR%20%2F%3E%20%23%20%7B2%7D%3A%20UserLogin%2C%20such%20as%20someone%40contoso.com%20%3CBR%20%2F%3E%20%23%20%7B3%7D%3A%20Password%20%3CBR%20%2F%3E%20%23%20%7B4%7D%3A%20Created%20datetime%20in%20UTC%2C%20such%20as%202012-11-16T23%3A24%3A52Z%20%3CBR%20%2F%3E%20%23%20%7B5%7D%3A%20Expires%20datetime%20in%20UTC%2C%20such%20as%202012-11-16T23%3A34%3A52Z%20%3CBR%20%2F%3E%20%23%20%7B6%7D%3A%20tokenIssuerUri%2C%20such%20as%20urn%3Afederation%3AMicrosoftOnline%2C%20or%20urn%3Afederation%3AMicrosoftOnline-int%20%3CBR%20%2F%3E%20%24customStsSamlRequestFormat%20%3D%20%22%3CENVELOPE%20s%3D%22%60%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%3C%2FA%3E%60%22%20xmlns%3Awsse%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-secext-1.0.xsd%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-secext-1.0.xsd%3C%2FA%3E%60%22%20xmlns%3Asaml%3D%60%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aassertion%60%22%20xmlns%3Awsp%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%3C%2FA%3E%60%22%20xmlns%3Awsu%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%3C%2FA%3E%60%22%20xmlns%3Awsa%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%3C%2FA%3E%60%22%20xmlns%3Awssc%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Fsc%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Fsc%3C%2FA%3E%60%22%20xmlns%3Awst%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%60%26quot%3B%26gt%3B%26lt%3Bs%3AHeader%26gt%3B%26lt%3Bwsa%3AAction%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%60%22%26gt%3B%3CHEADER%3E%3CACTION%3E%3C%2FACTION%3E%3C%2FHEADER%3E%3C%2FA%3E%20s%3AmustUnderstand%3D%60%221%60%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FRST%2FIssue%26lt%3B%2Fwsa%3AAction%26gt%3B%26lt%3Bwsa%3ATo%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FRST%2FIssue%3C%2FA%3E%3C%2FENVELOPE%3E%3CTO%3E%20s%3AmustUnderstand%3D%60%221%60%22%26gt%3B%7B0%7D%3C%2FTO%3E%3CMESSAGEID%3E%7B1%7D%3C%2FMESSAGEID%3E%3CAUTHINFO%20ps%3D%22%60%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2FPassport%2FSoapServices%2FPPCRL%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2FPassport%2FSoapServices%2FPPCRL%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2FPassport%2FSoapServices%2FPPCRL%3C%2FA%3E%60%22%20Id%3D%60%22PPAuthInfo%60%22%26gt%3B%3CHOSTINGAPP%3EManaged%20IDCRL%3C%2FHOSTINGAPP%3E%3CBINARYVERSION%3E6%3C%2FBINARYVERSION%3E%3CUIVERSION%3E1%3C%2FUIVERSION%3E%3CCOOKIES%3E%3C%2FCOOKIES%3E%3CREQUESTPARAMS%3EAQAAAAIAAABsYwQAAAAxMDMz%3C%2FREQUESTPARAMS%3E%3C%2FAUTHINFO%3E%3CSECURITY%3E%3CUSERNAMETOKEN%20id%3D%22%60%26quot%3Buser%60%26quot%3B%22%3E%3CUSERNAME%3E%7B2%7D%3C%2FUSERNAME%3E%3CPASSWORD%3E%7B3%7D%3C%2FPASSWORD%3E%3C%2FUSERNAMETOKEN%3E%3CTIMESTAMP%20id%3D%22%60%26quot%3BTimestamp%60%26quot%3B%22%3E%3CCREATED%3E%7B4%7D%3C%2FCREATED%3E%3CEXPIRES%3E%7B5%7D%3C%2FEXPIRES%3E%3C%2FTIMESTAMP%3E%3C%2FSECURITY%3E%3CREQUESTSECURITYTOKEN%20id%3D%22%60%26quot%3BRST0%60%26quot%3B%22%3E%3CREQUESTTYPE%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FIssue%26lt%3B%2Fwst%3ARequestType%26gt%3B%26lt%3Bwsp%3AAppliesTo%26gt%3B%26lt%3Bwsa%3AEndpointReference%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FIssue%3C%2FA%3E%3C%2FREQUESTTYPE%3E%3CAPPLIESTO%3E%3CENDPOINTREFERENCE%3E%26gt%3B%20%3CADDRESS%3E%7B6%7D%3C%2FADDRESS%3E%3C%2FENDPOINTREFERENCE%3E%3C%2FAPPLIESTO%3E%3CKEYTYPE%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2FNoProofKey%26lt%3B%2Fwst%3AKeyType%26gt%3B%26lt%3B%2Fwst%3ARequestSecurityToken%26gt%3B%26lt%3B%2Fs%3ABody%26gt%3B%26lt%3B%2Fs%3AEnvelope%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F05%2Fidentity%2FNoProofKey%3C%2FA%3E%3C%2FKEYTYPE%3E%3C%2FREQUESTSECURITYTOKEN%3E%26gt%3B%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%23%20mso%20envelope%20format%20index%20info%20(Used%20for%20custom%20STS%20%2B%20MSO%20authentication)%20%3CBR%20%2F%3E%20%23%200%3A%20custom%20STS%20assertion%20%3CBR%20%2F%3E%20%23%201%3A%20mso%20endpoint%20%3CBR%20%2F%3E%20%24msoSamlRequestFormat%20%3D%20%22%3CENVELOPE%20s%3D%22%60%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%3C%2FA%3E%60%22%20xmlns%3Awsse%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-secext-1.0.xsd%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-secext-1.0.xsd%3C%2FA%3E%60%22%20xmlns%3Awsp%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%3C%2FA%3E%60%22%20xmlns%3Awsu%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%3C%2FA%3E%60%22%20xmlns%3Awsa%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%3C%2FA%3E%60%22%20xmlns%3Awst%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%60%26quot%3B%26gt%3B%26lt%3BS%3AHeader%26gt%3B%26lt%3Bwsa%3AAction%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%60%22%26gt%3B%3CHEADER%3E%3CACTION%3E%3C%2FACTION%3E%3C%2FHEADER%3E%3C%2FA%3E%20S%3AmustUnderstand%3D%60%221%60%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FRST%2FIssue%26lt%3B%2Fwsa%3AAction%26gt%3B%26lt%3Bwsa%3ATo%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FRST%2FIssue%3C%2FA%3E%3C%2FENVELOPE%3E%3CTO%3E%20S%3AmustUnderstand%3D%60%221%60%22%26gt%3B%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Frst2.srf%26lt%3B%2Fwsa%3ATo%26gt%3B%26lt%3Bps%3AAuthInfo%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Frst2.srf%3C%2FA%3E%3C%2FTO%3E%3CAUTHINFO%3E%20xmlns%3Aps%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2FLiveID%2FSoapServices%2Fv1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2FLiveID%2FSoapServices%2Fv1%3C%2FA%3E%60%22%20Id%3D%60%22PPAuthInfo%60%22%26gt%3B%3CBINARYVERSION%3E5%3C%2FBINARYVERSION%3E%3CHOSTINGAPP%3EManaged%20IDCRL%3C%2FHOSTINGAPP%3E%3C%2FAUTHINFO%3E%3CSECURITY%3E%7B0%7D%3C%2FSECURITY%3E%3CREQUESTSECURITYTOKEN%20wst%3D%22%60%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%3C%2FA%3E%60%22%20Id%3D%60%22RST0%60%22%26gt%3B%3CREQUESTTYPE%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FIssue%26lt%3B%2Fwst%3ARequestType%26gt%3B%26lt%3Bwsp%3AAppliesTo%26gt%3B%26lt%3Bwsa%3AEndpointReference%26gt%3B%26lt%3Bwsa%3AAddress%26gt%3B%7B1%7D%26lt%3B%2Fwsa%3AAddress%26gt%3B%26lt%3B%2Fwsa%3AEndpointReference%26gt%3B%26lt%3B%2Fwsp%3AAppliesTo%26gt%3B%26lt%3Bwsp%3APolicyReference%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FIssue%3C%2FA%3E%3C%2FREQUESTTYPE%3E%3CAPPLIESTO%3E%3CENDPOINTREFERENCE%3E%3CADDRESS%3E%7B1%7D%3C%2FADDRESS%3E%3C%2FENDPOINTREFERENCE%3E%3C%2FAPPLIESTO%3E%3CPOLICYREFERENCE%3E%20URI%3D%60%22MBI%60%22%26gt%3B%3C%2FPOLICYREFERENCE%3E%3C%2FREQUESTSECURITYTOKEN%3E%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%23%20mso%20envelope%20format%20index%20info%20(Used%20for%20MSO-only%20authentication)%20%3CBR%20%2F%3E%20%23%200%3A%20mso%20endpoint%20%3CBR%20%2F%3E%20%23%201%3A%20username%20%3CBR%20%2F%3E%20%23%202%3A%20password%20%3CBR%20%2F%3E%20%24msoSamlRequestFormat2%20%3D%20%22%3CENVELOPE%20s%3D%22%60%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2003%2F05%2Fsoap-envelope%3C%2FA%3E%60%22%20xmlns%3Awsse%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-secext-1.0.xsd%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-secext-1.0.xsd%3C%2FA%3E%60%22%20xmlns%3Awsp%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%3C%2FA%3E%60%22%20xmlns%3Awsu%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fdocs.oasis-open.org%2Fwss%2F2004%2F01%2Foasis-200401-wss-wssecurity-utility-1.0.xsd%3C%2FA%3E%60%22%20xmlns%3Awsa%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.w3.org%2F2005%2F08%2Faddressing%3C%2FA%3E%60%22%20xmlns%3Awst%3D%60%22%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%60%26quot%3B%26gt%3B%26lt%3BS%3AHeader%26gt%3B%26lt%3Bwsa%3AAction%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%60%22%26gt%3B%3CHEADER%3E%3CACTION%3E%3C%2FACTION%3E%3C%2FHEADER%3E%3C%2FA%3E%20S%3AmustUnderstand%3D%60%221%60%22%26gt%3B%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FRST%2FIssue%26lt%3B%2Fwsa%3AAction%26gt%3B%26lt%3Bwsa%3ATo%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FRST%2FIssue%3C%2FA%3E%3C%2FENVELOPE%3E%3CTO%3E%20S%3AmustUnderstand%3D%60%221%60%22%26gt%3B%7B0%7D%3C%2FTO%3E%3CAUTHINFO%20ps%3D%22%60%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2FLiveID%2FSoapServices%2Fv1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2FLiveID%2FSoapServices%2Fv1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2FLiveID%2FSoapServices%2Fv1%3C%2FA%3E%60%22%20Id%3D%60%22PPAuthInfo%60%22%26gt%3B%3CBINARYVERSION%3E5%3C%2FBINARYVERSION%3E%3CHOSTINGAPP%3EManaged%20IDCRL%3C%2FHOSTINGAPP%3E%3C%2FAUTHINFO%3E%3CSECURITY%3E%3CUSERNAMETOKEN%20id%3D%22%60%26quot%3Buser%60%26quot%3B%22%3E%3CUSERNAME%3E%7B1%7D%3C%2FUSERNAME%3E%3CPASSWORD%3E%7B2%7D%3C%2FPASSWORD%3E%3C%2FUSERNAMETOKEN%3E%3C%2FSECURITY%3E%3CREQUESTSECURITYTOKEN%20wst%3D%22%60%26quot%3B%26lt%3BA%22%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%3C%2FA%3E%60%22%20Id%3D%60%22RST0%60%22%26gt%3B%3CREQUESTTYPE%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FIssue%26lt%3B%2Fwst%3ARequestType%26gt%3B%26lt%3Bwsp%3AAppliesTo%26gt%3B%26lt%3Bwsa%3AEndpointReference%26gt%3B%26lt%3Bwsa%3AAddress%26gt%3Bsharepoint.com%26lt%3B%2Fwsa%3AAddress%26gt%3B%26lt%3B%2Fwsa%3AEndpointReference%26gt%3B%26lt%3B%2Fwsp%3AAppliesTo%26gt%3B%26lt%3Bwsp%3APolicyReference%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%2FIssue%3C%2FA%3E%3C%2FREQUESTTYPE%3E%3CAPPLIESTO%3E%3CENDPOINTREFERENCE%3E%3CADDRESS%3Esharepoint.com%3C%2FADDRESS%3E%3C%2FENDPOINTREFERENCE%3E%3C%2FAPPLIESTO%3E%3CPOLICYREFERENCE%3E%20URI%3D%60%22MBI%60%22%26gt%3B%3C%2FPOLICYREFERENCE%3E%3C%2FREQUESTSECURITYTOKEN%3E%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20function%20Invoke-HttpPost(%24endpoint%2C%20%24body%2C%20%24headers%2C%20%24session)%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20log%20%3CBR%20%2F%3E%20log%20%22Invoke-HttpPost%22%20%3CBR%20%2F%3E%20log%20%22url%3A%20%24endpoint%22%20%3CBR%20%2F%3E%20log%20%22post%20body%3A%20%24body%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24params%20%3D%20%40%7B%7D%20%3CBR%20%2F%3E%20%24params.Headers%20%3D%20%24headers%20%3CBR%20%2F%3E%20%24params.uri%20%3D%20%24endpoint%20%3CBR%20%2F%3E%20%24params.Body%20%3D%20%24body%20%3CBR%20%2F%3E%20%24params.Method%20%3D%20%22POST%22%20%3CBR%20%2F%3E%20%24params.WebSession%20%3D%20%24session%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24response%20%3D%20Invoke-WebRequest%20%40params%20-ContentType%20%22application%2Fsoap%2Bxml%3B%20charset%3Dutf-8%22%20-UseDefaultCredentials%20-UserAgent%20(%5Bstring%5D%3A%3AEmpty)%20%3CBR%20%2F%3E%20%24content%20%3D%20%24response.Content%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20return%20%24content%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%23%20Get%20saml%20Assertion%20value%20from%20the%20custom%20STS%20%3CBR%20%2F%3E%20function%20Get-AssertionCustomSts(%24customStsAuthUrl)%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20log%20%3CBR%20%2F%3E%20log%20%22Get-AssertionCustomSts%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24messageId%20%3D%20%5Bguid%5D%3A%3ANewGuid()%20%3CBR%20%2F%3E%20%24created%20%3D%20%5Bdatetime%5D%3A%3AUtcNow.ToString(%22o%22%2C%20%5BSystem.Globalization.CultureInfo%5D%3A%3AInvariantCulture)%20%3CBR%20%2F%3E%20%24expires%20%3D%20%5Bdatetime%5D%3A%3AUtcNow.AddMinutes(10).ToString(%22o%22%2C%20%5BSystem.Globalization.CultureInfo%5D%3A%3AInvariantCulture)%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20if%20(%24integrated.ToBool())%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20log%20%22integrated%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24customStsAuthUrl%20%3D%20%24customStsAuthUrl.ToLowerInvariant().Replace(%22%2Fusernamemixed%22%2C%22%2Fwindowstransport%22)%20%3CBR%20%2F%3E%20log%20%24customStsAuthUrl%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24requestSecurityToken%20%3D%20%5Bstring%5D%3A%3AFormat(%24customStsSamlIntegratedRequestFormat%2C%20%24messageId%2C%20%24customStsAuthUrl%2C%20%24realm)%20%3CBR%20%2F%3E%20log%20%24requestSecurityToken%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20else%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20log%20%22not%20integrated%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24requestSecurityToken%20%3D%20%5Bstring%5D%3A%3AFormat(%24customStsSamlRequestFormat%2C%20%24customStsAuthUrl%2C%20%24messageId%2C%20%24username%2C%20%24password%2C%20%24created%2C%20%24expires%2C%20%24realm)%20%3CBR%20%2F%3E%20log%20%24requestSecurityToken%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%5Bxml%5D%24customStsXml%20%3D%20Invoke-HttpPost%20%24customStsAuthUrl%20%24requestSecurityToken%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20return%20%24customStsXml.Envelope.Body.RequestSecurityTokenResponse.RequestedSecurityToken.Assertion.OuterXml%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20function%20Get-BinarySecurityToken(%24customStsAssertion%2C%20%24msoSamlRequestFormatTemp)%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20log%20%3CBR%20%2F%3E%20log%20%22Get-BinarySecurityToken%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20if%20(%5Bstring%5D%3A%3AIsNullOrWhiteSpace(%24customStsAssertion))%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20log%20%22using%20username%20and%20password%22%20%3CBR%20%2F%3E%20%24msoPostEnvelope%20%3D%20%5Bstring%5D%3A%3AFormat(%24msoSamlRequestFormatTemp%2C%20%24msoDomain%2C%20%24username%2C%20%24password)%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20else%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20log%20%22using%20custom%20sts%20assertion%22%20%3CBR%20%2F%3E%20%24msoPostEnvelope%20%3D%20%5Bstring%5D%3A%3AFormat(%24msoSamlRequestFormatTemp%2C%20%24customStsAssertion%2C%20%24msoDomain)%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24msoContent%20%3D%20Invoke-HttpPost%20%24msoStsAuthUrl%20%24msoPostEnvelope%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%23%20Get%20binary%20security%20token%20using%20regex%20instead%20of%20%5Bxml%5D%20%3CBR%20%2F%3E%20%23%20Using%20regex%20to%20workaround%20PowerShell%20%5Bxml%5D%20bug%20where%20hidden%20characters%20cause%20failure%20%3CBR%20%2F%3E%20%5Bregex%5D%24regex%20%3D%20%22BinarySecurityToken%20Id%3D.*%26gt%3B(%5B%5E%26lt%3B%5D%2B)%26lt%3B%22%20%3CBR%20%2F%3E%20%24match%20%3D%20%24regex.Match(%24msoContent).Groups%5B1%5D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20return%20%24match.Value%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20function%20Get-SPOIDCRLCookie(%24msoBinarySecurityToken)%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20log%20%3CBR%20%2F%3E%20log%20%22Get-SPOIDCRLCookie%22%20%3CBR%20%2F%3E%20log%20%3CBR%20%2F%3E%20log%20%22BinarySecurityToken%3A%20%24msoBinarySecurityToken%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24binarySecurityTokenHeader%20%3D%20%5Bstring%5D%3A%3AFormat(%22BPOSIDCRL%20%7B0%7D%22%2C%20%24msoBinarySecurityToken)%20%3CBR%20%2F%3E%20%24params%20%3D%20%40%7Buri%3D%24idcrlEndpoint%20%3CBR%20%2F%3E%20Method%3D%22GET%22%20%3CBR%20%2F%3E%20Headers%20%3D%20%40%7B%7D%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%24params.Headers%5B%22Authorization%22%5D%20%3D%20%24binarySecurityTokenHeader%20%3CBR%20%2F%3E%20%24params.Headers%5B%22X-IDCRL_ACCEPTED%22%5D%20%3D%20%22t%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24resonse%20%3D%20Invoke-WebRequest%20%40params%20-UserAgent%20(%5Bstring%5D%3A%3AEmpty)%20%3CBR%20%2F%3E%20%24cookie%20%3D%20%24resonse.BaseResponse.Cookies%5B%22SPOIDCRL%22%5D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20return%20%24cookie%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%23%20Retrieve%20the%20configured%20STS%20Auth%20Url%20(ADFS%2C%20PING%2C%20etc.)%20%3CBR%20%2F%3E%20function%20Get-UserRealmUrl(%24getRealmUrl%2C%20%24username)%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20log%20%3CBR%20%2F%3E%20log%20%22Get-UserRealmUrl%22%20%3CBR%20%2F%3E%20log%20%22url%3A%20%24getRealmUrl%22%20%3CBR%20%2F%3E%20log%20%22username%3A%20%24username%22%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24body%20%3D%20%22login%3D%24username%26amp%3Bxml%3D1%22%20%3CBR%20%2F%3E%20%24response%20%3D%20Invoke-WebRequest%20-Uri%20%24getRealmUrl%20-Method%20POST%20-Body%20%24body%20-UserAgent%20(%5Bstring%5D%3A%3AEmpty)%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20return%20(%5Bxml%5D%24response.Content).RealmInfo.STSAuthURL%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%5BSystem.Net.ServicePointManager%5D%3A%3AExpect100Continue%20%3D%20%24true%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%231%20Get%20custom%20STS%20auth%20url%20%3CBR%20%2F%3E%20%24customStsAuthUrl%20%3D%20Get-UserRealmUrl%20%24getRealmUrl%20%24username%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20if%20(%24customStsAuthUrl%20-eq%20%24null)%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20%232%20Get%20binary%20security%20token%20from%20the%20MSO%20STS%20by%20passing%20the%20SAML%20%3CASSERTION%3E%20xml%20%3CBR%20%2F%3E%20%24customStsAssertion%20%3D%20%24null%20%3CBR%20%2F%3E%20%24msoBinarySecurityToken%20%3D%20Get-BinarySecurityToken%20%24customStsAssertion%20%24msoSamlRequestFormat2%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20else%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20%232%20Get%20SAML%20%3CASSERTION%3E%20xml%20from%20custom%20STS%20%3CBR%20%2F%3E%20%24customStsAssertion%20%3D%20Get-AssertionCustomSts%20%24customStsAuthUrl%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%233%20Get%20binary%20security%20token%20from%20the%20MSO%20STS%20by%20passing%20the%20SAML%20%3CASSERTION%3E%20xml%20%3CBR%20%2F%3E%20%24msoBinarySecurityToken%20%3D%20Get-BinarySecurityToken%20%24customStsAssertion%20%24msoSamlRequestFormat%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%233%2F4%20Get%20SPOIDRCL%20cookie%20from%20SharePoint%20site%20by%20passing%20the%20binary%20security%20token%20%3CBR%20%2F%3E%20%23%20Save%20cookie%20and%20reuse%20with%20multiple%20requests%20%3CBR%20%2F%3E%20%24idcrl%20%3D%20%24null%20%3CBR%20%2F%3E%20%24idcrl%20%3D%20Get-SPOIDCRLCookie%20%24msoBinarySecurityToken%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20if%20(%5Bstring%5D%3A%3AIsNullOrEmpty(%24format))%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20%24format%20%3D%20%5Bstring%5D%3A%3AEmpty%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20else%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20%24format%20%3D%20%24format.Trim().ToUpperInvariant()%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%24Global%3Aspoidcrl%20%3D%20%24idcrl%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20if%20(%24format%20-eq%20%22XML%22)%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20Write-Output%20(%5Bstring%5D%3A%3AFormat(%22%3CSPOIDCRL%3E%7B0%7D%3C%2FSPOIDCRL%3E%22%2C%20%24idcrl.Value))%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20elseif%20(%24format%20-eq%20%22JSON%22)%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20Write-Output%20(%5Bstring%5D%3A%3AFormat(%22%7B%7B%60%22SPOIDCRL%60%22%3A%60%22%7B0%7D%60%22%7D%7D%22%2C%20%24idcrl.Value))%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20elseif%20(%24format.StartsWith(%22KEYVALUE%22)%20-or%20%24format.StartsWith(%22NAMEVALUE%22))%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20Write-Output%20(%22SPOIDCRL%3A%22%20%2B%20%24idcrl.Value)%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20else%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20Write-Output%20%24idcrl.Value%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20catch%20%3CBR%20%2F%3E%20%7B%20%3CBR%20%2F%3E%20log%20%24error%5B0%5D%20%3CBR%20%2F%3E%20%22ERROR%3A%22%20%2B%20%24statusText.ToString()%20%3CBR%20%2F%3E%20%7D%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%0A%20%0A%3C%2FASSERTION%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-510052%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Feb%2007%2C%202018%20This%20post%20is%20a%20contribution%20from%20Vitaly%20Lyamin%2C%20an%20engineer%20with%20the%20SharePoint%20Developer%20Support%20teamWe%20often%20see%20issues%20that%20have%20to%20do%20with%20actively%20authenticating%20to%20SharePoint%20Online%20for%20the%20purpose%20of%20consuming%20API%E2%80%99s%20and%20services%20(WCF%20and%20ASMX).%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-510052%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3C%2FASSERTION%3E%3C%2FASSERTION%3E
Microsoft

First published on TECHNET on Feb 07, 2018
This post is a contribution from Vitaly Lyamin, an engineer with the SharePoint Developer Support team

We often see issues that have to do with actively authenticating to SharePoint Online for the purpose of consuming API’s and services (WCF and ASMX). There are 2 flavors of authentication - one with a Custom STS and one without (Using MSO STS only). The end goal is to retrieve the authentication cookie (SPOIDCRL cookie).

Step 1: Getting the Custom STS active endpoint URL
Microsoft Online provides a way to discover the custom STS authentication URL via the “GetUserRealm.srf” endpoint. The “STSAuthURL” node in the XML response contains the value.

Step 2: Authenticating to the STS and Retrieving the BinarySecurityToken
The default MSO endpoint https://login.microsoftonline.com/rst2.srf will either take the *.onmicrosoft.com user credentials or the assertion from the custom STS.

If there’s a custom STS (as discovered in previous step), that endpoint needs to be hit first to retrieve the assertion.

The SAML response from rst2.srf endpoint contains the BinarySecurityToken which is retrieved and used in the next step.

STS Endpoints
https://login.microsoftonline.com/rst2.srf (default MSO endpoint)
https://#ADFSHOST#/adfs/services/trust/2005/usernamemixed (username/password ADFS endpoint)
https://#ADFSHOST#/adfs/services/trust/2005/windowstransport (integrated Windows ADFS endpoint)

Step 3: Get the SPOIDCRL Cookie
Now that we have the BinarySecurityToken, we can pass the value to the https://TENANT.sharepoint.com/_vti_bin/idcrl.svc endpoint in the Authorization header.

Authorization Header with BinarySecurityToken
Authorization: BPOSIDCRL t=*

The response from the idcrl.svc sets the SPOIDCRL cookie which can be programmatically retrieved and used in subsequent API calls.

PowerShell Script



<#
.Synopsis
Retrieve SPOIDCR cookie for SharePoint Online.
.Description
Authenticates to the sts and retrieves the SPOIDCR cookie for SharePoint Online.
Will use the custom IDP if one has been setup.
Optionally, can use integrated credentials (when integrated is set to true) with ADFS using the windowsmixed endpoint.
Results are formattable as XML, JSON, KEYVALUE, and by line.

Makes global variables avaiable at the end of the run.
$spoidcrl contains the SPOIDCRL cookie

.Example
The following returns the SPOIDCRL cookie value provided a username and password.

PS> .\spoidcrl.ps1 -url https://contoso.sharepoint.com -username user@contoso.com -password ABCDEFG
.Example
The following returns the SPOIDCRL cookie value using integrated windows credentials. Applies only to ADFS.

PS> .\spoidcrl.ps1 -url https://contoso.sharepoint.com/sites/site1 -integrated

.Example
The following saves the SPOIDCRL cookie value using integrated windows credentials. Applies only to ADFS.

PS> .\spoidcrl.ps1 -url https://contoso.sharepoint.com/sites/site1 -integrated -format "XML" | Out-File "c:\temp\spoidcr.txt"

.PARAMETER url
Tenant url (e.g. contoso.sharepoint.com)
.PARAMETER username
The username to login with. (e.g. user@contoso.com or user@contoso.onmicrosoft.com)
.PARAMETER password
The password to login with.
.PARAMETER integrated
Whether to use integrated credentials (user running PowerShell) instead of explicit credentials.
Needs to be supported by ADFS.
.PARAMETER format
How to format the output. Options include: XML, JSON, KEYVALUE

#>
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true)]
[string]$url,
[Parameter(Mandatory=$false)]
[string]$username,
[Parameter(Mandatory=$false)]
[string]$password,
[Parameter(Mandatory=$false)]
[switch]$integrated = $false,
[Parameter(Mandatory=$false)]
[string]$format
)

$statusText = New-Object System.Text.StringBuilder

function log($info)
{
if([string]::IsNullOrEmpty($info))
{
$info = ""
}

[void]$statusText.AppendLine($info)
}

try
{
if (![uri]::IsWellFormedUriString($url, [UriKind]::Absolute))
{
throw "Parameter 'url' is not a valid URI."
}
else
{
$uri = [uri]::new($url)
$tenant = $uri.Authority
}

if ($tenant.EndsWith("sharepoint.com", [System.StringComparison]::OrdinalIgnoreCase))
{
$msoDomain = "sharepoint.com"
}
else
{
$msoDomain = $tenant
}

if ($integrated.ToBool())
{
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices") | out-null
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement") | out-null
$username = [System.DirectoryServices.AccountManagement.UserPrincipal]::Current.UserPrincipalName
}
elseif ([string]::IsNullOrWhiteSpace($username) -or [string]::IsNullOrWhiteSpace($password))
{
$credential = Get-Credential -UserName $username -Message "Enter credentials"
$username = $credential.UserName
$password = $credential.GetNetworkCredential().Password
}

$contextInfoUrl = $url.TrimEnd('/') + "/_api/contextinfo"
$getRealmUrl = "https://login.microsoftonline.com/GetUserRealm.srf"
$realm = "urn:federation:MicrosoftOnline"
$msoStsAuthUrl = "https://login.microsoftonline.com/rst2.srf"
$idcrlEndpoint = "https://$tenant/_vti_bin/idcrl.svc/"
$username = [System.Security.SecurityElement]::Escape($username)
$password = [System.Security.SecurityElement]::Escape($password)

# Custom STS integrated authentication envelope format index info
# 0: message id - unique guid
# 1: custom STS auth url
# 2: realm
$customStsSamlIntegratedRequestFormat = "<?xml version=`"1.0`" encoding=`"UTF-8`"?><s:Envelope xmlns:s=`"http://www.w3.org/2003/05/soap-envelope`" xmlns:a=`"http://www.w3.org/2005/08/addressing`"><s:Header><a:Action s:mustUnderstand=`"1`">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action><a:MessageID>urn:uuid:{0}</a:Message... s:mustUnderstand=`"1`">{1}</a:To></s:Header><s:Body><t:RequestSecurityToken xmlns:t=`"http://schemas.xmlsoap.org/ws/2005/02/trust`"><wsp:AppliesTo xmlns:wsp=`"http://schemas.xmlsoap.org/ws/2004/09/policy`"><wsa:EndpointReference xmlns:wsa=`"http://www.w3.org/2005/08/addressing`"><wsa:Address>{2}</wsa:Address></wsa:EndpointReference></wsp:A...>";


# custom STS envelope format index info
# {0}: ADFS url, such as https://corp.sts.contoso.com/adfs/services/trust/2005/usernamemixed, its value comes from the response in GetUserRealm request.
# {1}: MessageId, it could be an arbitrary guid
# {2}: UserLogin, such as someone@contoso.com
# {3}: Password
# {4}: Created datetime in UTC, such as 2012-11-16T23:24:52Z
# {5}: Expires datetime in UTC, such as 2012-11-16T23:34:52Z
# {6}: tokenIssuerUri, such as urn:federation:MicrosoftOnline, or urn:federation:MicrosoftOnline-int
$customStsSamlRequestFormat = "<?xml version=`"1.0`" encoding=`"UTF-8`"?><s:Envelope xmlns:s=`"http://www.w3.org/2003/05/soap-envelope`" xmlns:wsse=`"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd`" xmlns:saml=`"urn:oasis:names:tc:SAML:1.0:assertion`" xmlns:wsp=`"http://schemas.xmlsoap.org/ws/2004/09/policy`" xmlns:wsu=`"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd`" xmlns:wsa=`"http://www.w3.org/2005/08/addressing`" xmlns:wssc=`"http://schemas.xmlsoap.org/ws/2005/02/sc`" xmlns:wst=`"http://schemas.xmlsoap.org/ws/2005/02/trust`"><s:Header><wsa:Action s:mustUnderstand=`"1`">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action><wsa:To s:mustUnderstand=`"1`">{0}</wsa:To><wsa:MessageID>{1}</wsa:MessageID><ps:AuthInfo xmlns:ps=`"http://schemas.microsoft.com/Passport/SoapServices/PPCRL`" Id=`"PPAuthInfo`"><ps:HostingApp>Managed IDCRL</ps:HostingApp><ps:BinaryVersion>6</ps:BinaryVersion><ps:UIVersion>1</ps:UIVersion><ps:Cookies></ps:Cookies><ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:RequestParams></ps:AuthInfo><wsse:Security><wsse:UsernameToken wsu:Id=`"user`"><wsse:Username>{2}</wsse:Username><wsse:Password>{3}</wsse:Password></wsse:UsernameToken><wsu:Timestamp Id=`"Timestamp`"><wsu:Created>{4}</wsu:Created><wsu:Expires>{5}</wsu:Expires></wsu:Timestamp></wsse:Security></s:Header><s:Body><wst:RequestSecurityToken Id=`"RST0`"><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo><wsa:EndpointRefer...> <wsa:Address>{6}</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType></wst:RequestSecurityToken></...>"

# mso envelope format index info (Used for custom STS + MSO authentication)
# 0: custom STS assertion
# 1: mso endpoint
$msoSamlRequestFormat = "<?xml version=`"1.0`" encoding=`"UTF-8`"?><S:Envelope xmlns:S=`"http://www.w3.org/2003/05/soap-envelope`" xmlns:wsse=`"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd`" xmlns:wsp=`"http://schemas.xmlsoap.org/ws/2004/09/policy`" xmlns:wsu=`"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd`" xmlns:wsa=`"http://www.w3.org/2005/08/addressing`" xmlns:wst=`"http://schemas.xmlsoap.org/ws/2005/02/trust`"><S:Header><wsa:Action S:mustUnderstand=`"1`">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action><wsa:To S:mustUnderstand=`"1`">https://login.microsoftonline.com/rst2.srf</wsa:To><ps:AuthInfo xmlns:ps=`"http://schemas.microsoft.com/LiveID/SoapServices/v1`" Id=`"PPAuthInfo`"><ps:BinaryVersion>5</ps:BinaryVersion><ps:HostingApp>Managed IDCRL</ps:HostingApp></ps:AuthInfo><wsse:Security>{0}</wsse:Security></S:Header><S:Body><wst:RequestSecurityToken xmlns:wst=`"http://schemas.xmlsoap.org/ws/2005/02/trust`" Id=`"RST0`"><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo><wsa:EndpointRefer... URI=`"MBI`"></wsp:PolicyReference></wst:RequestSecurityToken></S:Body></S:Envelope>"

# mso envelope format index info (Used for MSO-only authentication)
# 0: mso endpoint
# 1: username
# 2: password
$msoSamlRequestFormat2 = "<?xml version=`"1.0`" encoding=`"UTF-8`"?><S:Envelope xmlns:S=`"http://www.w3.org/2003/05/soap-envelope`" xmlns:wsse=`"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd`" xmlns:wsp=`"http://schemas.xmlsoap.org/ws/2004/09/policy`" xmlns:wsu=`"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd`" xmlns:wsa=`"http://www.w3.org/2005/08/addressing`" xmlns:wst=`"http://schemas.xmlsoap.org/ws/2005/02/trust`"><S:Header><wsa:Action S:mustUnderstand=`"1`">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action><wsa:To S:mustUnderstand=`"1`">{0}</wsa:To><ps:AuthInfo xmlns:ps=`"http://schemas.microsoft.com/LiveID/SoapServices/v1`" Id=`"PPAuthInfo`"><ps:BinaryVersion>5</ps:BinaryVersion><ps:HostingApp>Managed IDCRL</ps:HostingApp></ps:AuthInfo><wsse:Security><wsse:UsernameToken wsu:Id=`"user`"><wsse:Username>{1}</wsse:Username><wsse:Password>{2}</wsse:Password></wsse:UsernameToken></wsse:Security></S:Header><S:Body><wst:RequestSecurityToken xmlns:wst=`"http://schemas.xmlsoap.org/ws/2005/02/trust`" Id=`"RST0`"><wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType><wsp:AppliesTo><wsa:EndpointRefer... URI=`"MBI`"></wsp:PolicyReference></wst:RequestSecurityToken></S:Body></S:Envelope>"


function Invoke-HttpPost($endpoint, $body, $headers, $session)
{
log
log "Invoke-HttpPost"
log "url: $endpoint"
log "post body: $body"

$params = @{}
$params.Headers = $headers
$params.uri = $endpoint
$params.Body = $body
$params.Method = "POST"
$params.WebSession = $session

$response = Invoke-WebRequest @params -ContentType "application/soap+xml; charset=utf-8" -UseDefaultCredentials -UserAgent ([string]::Empty)
$content = $response.Content

return $content
}

# Get saml Assertion value from the custom STS
function Get-AssertionCustomSts($customStsAuthUrl)
{
log
log "Get-AssertionCustomSts"

$messageId = [guid]::NewGuid()
$created = [datetime]::UtcNow.ToString("o", [System.Globalization.CultureInfo]::InvariantCulture)
$expires = [datetime]::UtcNow.AddMinutes(10).ToString("o", [System.Globalization.CultureInfo]::InvariantCulture)

if ($integrated.ToBool())
{
log "integrated"

$customStsAuthUrl = $customStsAuthUrl.ToLowerInvariant().Replace("/usernamemixed","/windowstransport")
log $customStsAuthUrl

$requestSecurityToken = [string]::Format($customStsSamlIntegratedRequestFormat, $messageId, $customStsAuthUrl, $realm)
log $requestSecurityToken

}
else
{
log "not integrated"

$requestSecurityToken = [string]::Format($customStsSamlRequestFormat, $customStsAuthUrl, $messageId, $username, $password, $created, $expires, $realm)
log $requestSecurityToken

}

[xml]$customStsXml = Invoke-HttpPost $customStsAuthUrl $requestSecurityToken

return $customStsXml.Envelope.Body.RequestSecurityTokenResponse.RequestedSecurityToken.Assertion.OuterXml
}

function Get-BinarySecurityToken($customStsAssertion, $msoSamlRequestFormatTemp)
{
log
log "Get-BinarySecurityToken"

if ([string]::IsNullOrWhiteSpace($customStsAssertion))
{
log "using username and password"
$msoPostEnvelope = [string]::Format($msoSamlRequestFormatTemp, $msoDomain, $username, $password)
}
else
{
log "using custom sts assertion"
$msoPostEnvelope = [string]::Format($msoSamlRequestFormatTemp, $customStsAssertion, $msoDomain)
}

$msoContent = Invoke-HttpPost $msoStsAuthUrl $msoPostEnvelope

# Get binary security token using regex instead of [xml]
# Using regex to workaround PowerShell [xml] bug where hidden characters cause failure
[regex]$regex = "BinarySecurityToken Id=.*>([^<]+)<"
$match = $regex.Match($msoContent).Groups[1]

return $match.Value
}

function Get-SPOIDCRLCookie($msoBinarySecurityToken)
{
log
log "Get-SPOIDCRLCookie"
log
log "BinarySecurityToken: $msoBinarySecurityToken"

$binarySecurityTokenHeader = [string]::Format("BPOSIDCRL {0}", $msoBinarySecurityToken)
$params = @{uri=$idcrlEndpoint
Method="GET"
Headers = @{}
}
$params.Headers["Authorization"] = $binarySecurityTokenHeader
$params.Headers["X-IDCRL_ACCEPTED"] = "t"

$resonse = Invoke-WebRequest @params -UserAgent ([string]::Empty)
$cookie = $resonse.BaseResponse.Cookies["SPOIDCRL"]

return $cookie
}

# Retrieve the configured STS Auth Url (ADFS, PING, etc.)
function Get-UserRealmUrl($getRealmUrl, $username)
{
log
log "Get-UserRealmUrl"
log "url: $getRealmUrl"
log "username: $username"

$body = "login=$username&xml=1"
$response = Invoke-WebRequest -Uri $getRealmUrl -Method POST -Body $body -UserAgent ([string]::Empty)

return ([xml]$response.Content).RealmInfo.STSAuthURL
}

[System.Net.ServicePointManager]::Expect100Continue = $true

#1 Get custom STS auth url
$customStsAuthUrl = Get-UserRealmUrl $getRealmUrl $username

if ($customStsAuthUrl -eq $null)
{
#2 Get binary security token from the MSO STS by passing the SAML <Assertion> xml
$customStsAssertion = $null
$msoBinarySecurityToken = Get-BinarySecurityToken $customStsAssertion $msoSamlRequestFormat2
}
else
{
#2 Get SAML <Assertion> xml from custom STS
$customStsAssertion = Get-AssertionCustomSts $customStsAuthUrl

#3 Get binary security token from the MSO STS by passing the SAML <Assertion> xml
$msoBinarySecurityToken = Get-BinarySecurityToken $customStsAssertion $msoSamlRequestFormat
}

#3/4 Get SPOIDRCL cookie from SharePoint site by passing the binary security token
# Save cookie and reuse with multiple requests
$idcrl = $null
$idcrl = Get-SPOIDCRLCookie $msoBinarySecurityToken

if ([string]::IsNullOrEmpty($format))
{
$format = [string]::Empty
}
else
{
$format = $format.Trim().ToUpperInvariant()
}

$Global:spoidcrl = $idcrl

if ($format -eq "XML")
{
Write-Output ([string]::Format("<SPOIDCRL>{0}</SPOIDCRL>", $idcrl.Value))
}
elseif ($format -eq "JSON")
{
Write-Output ([string]::Format("{{`"SPOIDCRL`":`"{0}`"}}", $idcrl.Value))
}
elseif ($format.StartsWith("KEYVALUE") -or $format.StartsWith("NAMEVALUE"))
{
Write-Output ("SPOIDCRL:" + $idcrl.Value)
}
else
{
Write-Output $idcrl.Value
}

}
catch
{
log $error[0]
"ERROR:" + $statusText.ToString()
}