Authenticating to SharePoint Online using cURL (using ADFS 2.1 as IP-STS)

Duncan Hepple picture Duncan Hepple · Feb 19, 2015 · Viewed 8.1k times · Source

I'm trying to set up a simple script that uses cURL to monitor our SharePoint Online site by doing the following:-

  1. Log into our Office 365 environment using a federated identity (ADFS 2.1) using the "../adfs/services/trust/13/UsernameMixed" endpoint
  2. Obtain SharePoint cookies (FedAuth etc)
  3. Browse to SharePoint site (verify content etc)

To do the first step, I'm using cURL to do submit the following POST to our ADFS endpoint:

curl https://sts.contoso.com/adfs/services/trust/13/UsernameMixed --data @req.txt -H "Content-Type: application/soap+xml" -o out.txt

The SOAP envelope I am sending is requesting the following (this is just an extract of the request):

<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
    <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
        <a:EndpointReference>
            <a:Address>https://login.microsoftonline.com/extSTS.srf</a:Address>
        </a:EndpointReference>
    </wsp:AppliesTo>
    <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
    <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
    <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType>
</trust:RequestSecurityToken>

The response I get back from this contains an X509 certificate, a digest and a signature which I do not know what to with. All the guides I can see online result in a "BinarySecurityToken" being returned from this initial request which you can extract and post to Sharepoint.com to get the necessary cookies to gain access. Admittedly they are all using the MicrosoftOnline STS though (cloud credentials) so is this just something that the Microsoft STS can achieve but not ADFS servers?

Or is there something glaringly wrong in my approach?

Any help would be greatly appreciated.

Cheers,

Duncan

Answer

Duncan Hepple picture Duncan Hepple · Mar 1, 2015

So I resolved this by finding this helpful Stack answer (to a fairly similar question) which showed me the format of which to send to the Microsoft STS (bottom answer):

Claim auth from ADFS

After doing this, I was able to get the "t=Eddejdnefdn23enjd..." value which i was able to POST to my SharePoint site and get the necessary SP cookies back (FedAuth etc).

I'm now stuck on how to get this concept working with OWA... as when I apply the same logic, the Microsoft STS returns encrypted XML with cipher data as opposed to a binarysecuritytoken.. Which has flummoxed me again, so if anyone has any ideas please let me know.

Cheers