SharePoint Online with ADFS Authentication

On July 2012 I had the problem that I wanted to connect to a SharePoint Online instance that had an Active Directory Federation Services (ADFS) in front. At this time I couldn’t find any how-to on the web that would explain me how to do it. I asked at stackoverflow.com for a solution and became a hint and also found a post by Wictor Wilén at his blog that describes the authentication to SharePoint Online without an ADFS. At this time I solved my problem with a workaround in the project but later that year I had the same problem again and I know that I had to solve it on my own because my stackoverflow.com question hadn’t received any new answers.

I used Fiddler, a web debugging proxy, to understand the authentication process. First you need to get the Security Assertion Markup Language (SAML) tokens. I looked up the needed requirements for the SAML-Tokens and was able to get them. With those tokens I was now able to get a token from the Microsoft Online Services (MOS) via the Secure Token Service (STS). With that token I can now finally authenticate my application against SharePoint Online and receive a authentication token that I have to use in all my REST-Requests (as cookies) in order to authenticate my requests.

At this last point on receiving the token from the Secure Token Service (STS) I stumbled upon an article from Omar Venado that solved my problem and posted the solution in his blog. Because I was short on time I used his finished solution in my project (with a few fixes and modifications) and throw my pre finished solution away. This is why I didn’t post some code snippets – look at Omar’s post for the snippets and a deeper explanation.

But because of my question on stackoverflow.com I received a view e-mails if I had found the solution to my problem and if I’m willing to share it. So I fought I make this blog post to spread the solution. I have also created a new project and copied the modified version of Omar’s solution in it and created a Windows 8 Store skeleton app. You can find it at Github: https://github.com/jwillmer/SharePointAuthentication

Feel free to use it, improve it and tell others about it ;-)

 

SharePoint Online Auth

About

Jens Willmer is a professional .NET-Developer. He Works at a company located in south Germany. In his spare time he writes blog articles, contributes to open source projects and plays beach volleyball.

Tagged with: , , , , , , , , ,
Posted in Programming, Server
  • Jonathan

    Hi Jens,
    I’m currently facing a very similiar Problem at Work.
    I’m currently set up for a Task, where i have to create an Outlook Addin, which can store e-mails directly into Office 365.
    i found a good sample online which does this (saving is acomplished through a button)
    but instead of directly connecting to Office 365 (with User and Password) i have to connect through an ADFS, which if done through the Browser goes someway like this:
    Open Office 365 Login Page (enter E-Mail only)
    page Redirects you immedietaly to another page where you are requested to enter a Username and a Password.
    and after that you are logged in.
    i’ve read both your, and Omar Venado’s Post, my question to you is:
    Do i have to do extra authentication if I’m trying to connect a user through Outlook,
    do you have any Tips or Ideas (Code Snippets).
    I’m really greateful for your help! thank you

    • http://jwillmer.de/blog/ Jens Willmer

      It shouldn’t be a problem to use my code in an Outlook plugin. If the user is connected to an active directory you can login with single sign-on. If he isn’t you need to provide a login mask like I did in the metro skeleton :-)

  • Bob

    Does this Work for ADFS 2.0 ?

    • http://jwillmer.de/blog/ Jens Willmer

      As far as I know I have developed against an ADFS 2.0. So yes, it works!

  • Simon Ovens

    I used Wictor’s authentication to SharePoint Online without an ADFS and this worked great until we used a custom CNAME for the site. I noticed others reported the same problem.
    Do you know if using this authentication mechanism will be any different?

    • http://jwillmer.de/blog/ Jens Willmer

      I think the actual authentication mechanism isn’t that different. Give it a try but I can only assume that you end up with the same result :-(

      I currently have no option to test the skeleton with your settings please let me know if it works :-)

  • pknet

    Thanks for the article! It is just what I needed! I am having trouble getting back the binarysecuritytoken. Any ideas why I would not get it back? I have used Omar Venado code and others but each do not return back the token.
    Thanks in advance

    • http://jwillmer.de/blog/ Jens Willmer

      Sorry, I haven’t got such a problem. Maybe you can find a better answer at StackOverflow ;-)

  • tyler

    I need to do this same thing but from a windows 7 thin client. I had hoped to be able to just call it via the client object model from a console app, but I’m not allowed to reference it because of the difference in .NET versions. I basically need something similar to GetAdfsSAMLTokenWinAuth() to run after the user logs in, but I’m having trouble sorting out how to change it in order to do what I need it to do. Any guidance will be much appreciated.

  • macca

    Thanks so much for posting this, it would have been a real pain to get working, but you have helped me a lot in my troubles.

  • Catherine

    Hi Jens. I am trying to combine both forms authentication with adfs authentication in one .net application using c#.

    I have already authenticated against adfs and returned a validated saml token, but I am wondering if there is an easy way to log into my site using this token, rather than creating a FormsAuthenticationTicket? Ideally, I want this to create a cookie to enable SSO for other sites I have deveoped and assigned to my own custom STS

    • http://jwillmer.de/blog/ Jens Willmer

      I don’t know if there is an easier solution but maybe someone at stackoverflow.com can halp you with that ;-)