How to authenticate to SharePoint Online (Office 365) using REST API when On-premise ADFS Sync to Office 365 cloud is enabled?
https://sharepoint.stackexchange.com/questions/223078
-
30-12-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Many enterprises who use Sharepoint Online leverage the Office 365 integration with an on-premise ADFS. That way they can have the benefit of having Sharepoint on the cloud, but while being able to still use their existing Active Directory for sign in without having to maintain duplicate accounts. See https://support.office.com/en-us/article/Office-365-integration-with-on-premises-environments-263faf8d-aa21-428b-aed3-2021837a4b65 for more information.
I have a service account set up in ADFS that is synced to Sharepoint Online and now I would like to call the Sharepoint web services using this account.
I am already able to call REST/SOAP web services for the following two setups:
For Sharepoint on premise, you can simply use Form-based authentication with username/password/domain of the service account in the ADFS (also on-premise) to get authenticated.
For native office 365 service account, it's a little more complex.
- Using the Office 365 service account username/password, you do a handshake with https://{tenant}.sharepoint.com/_forms/default.aspx?wa=wsignin1.0
- The handshake generates an rtfa cookie, fedAuth cookie and the FormDigestValue.
- You specify the cookies and digest as headers in the request and you are able to authenticate with Sharepoint online.
What is the process for authenticating for API calls when we have the Sharepoint online synced with an on-premise ADFS setup?
Solution 2
Here is a forum post that provides more details, and a PowerShell able to do this Login: https://blogs.technet.microsoft.com/sharepointdevelopersupport/2018/02/07/sharepoint-online-active-authentication/
Here is the PowerShell script in a Gist in case that Link dies some day: https://gist.github.com/nddipiazza/1a810cd6f94782760933163b077dade7
Example usage:
.\spoidcrl.ps1 -url https://contoso.sharepoint.com/sites/site1 -integrated -format "XML"
Once you have the SPOIDCRL cookie from this script, you can use it in any SharePoint online rest api call and you will be authenticated.
This powershell script is quite simple to read, so you should be able to pull out the HTTP calls for use in any other HTTP client you need such as Java, Curl, Postman, etc. And it supports ADFS, and also MSO native login.
OTHER TIPS
Here is an example, I've written "for fun" some time ago:
The sample is on gitHub:
It should work with or without ADFS. Instead of documentation, I've just connected to SharePoint Online via PowerShell and recorded all steps with Fiddler. Then just coded the same requests I saw.
I would still use CSOM whenever I could, but REST is the only option for Windows Phone. CSOM for Windows Phone no longer works last time I checked.
