How to generate FedAuth / RTFA cookies to make sharepoint online requests when using PingIdentity SSO

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/234195

Question

Dear SharePoint community,

I need to be able to access SharePoint online API's in an environment that uses PingIdentity to provide SSO to Office 365.

When a user requests a https://mycompany.sharepoint.com/somesite

  1. They are redirected to login.microsoftonline.com and asked for their "email" account.
  2. They are then taken to Ping Identity login page. They are asked here for a password.
  3. Once they present the password, they are now taken to https://mycompany.sharepoint.com/somesite with rtfa / fedAuth cookies present in the request headers which allows them to now access the protected resources.

I was able to get this exact same scenario working via REST API for ADFS as high-level documented here:

How to authenticate to SharePoint Online (Office 365) using REST API when On-premise ADFS Sync to Office 365 cloud is enabled?

Does anyone have the equivalent of how to make REST api requests to obtain the cookies from PingIdentity/Microsoft Login in this scenario? I can use SOAP, REST, or C# to do it. Whatever works to generate the fedAuth and rtfa cookies I can use? Postman, soapUI, code snippets, or high-level description, anything.

Was it helpful?

Solution

The simple way to connect to SharePoint Online is using .net CSOM SDK. You don't need to generate FedAuth and rtfa cookies. SharePointOnlineCredentials class which is provided as part of .net sdk is sufficient to make the connection (even with PingFederate). The latest version of the sdk can handle authentication in federated identity scenarios. A lot of examples online which involves generating FedAuth cookie seems to refer to older version of CSOM sdk, which did not seem to support federated scenarios. Below code sample shows how to connect to SPO using .net SDK using powershell, same can be done in C#.

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

$Password = Read-Host -Prompt "Please enter your password" -AsSecureString
$Creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($User,$Password)
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($User,$Password)
    $Context.Credentials = $Creds

Because in this scenario we are trying to get cookies using web requests, take a look at this link's idea: https://allthatjs.com/2012/03/28/remote-authentication-in-sharepoint-online/

Basically you can

  1. set up csom to log in as indicated
  2. enable fiddler
  3. run the program to log in and make a csom request
  4. Check the fiddler output to copy the network calls as they came in

OTHER TIPS

Created a github project for us non-windows folks

https://github.com/nddipiazza/SharepointOnlineCookieFetcher

Creates a program in bundled mono (requires no mono installation required, but does have an annoying sudo mkdir and chmod step needed).

You can then platform independently run this CSOM based cookie fetcher and use it in your web service based program.

UPDATE: This worked only on Sharepoint Online with Microsoft built-in login. ADFS backed sharepoint online did NOT work with this approach.

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top