[英]Claim auth from ADFS
I try to connect to a SharePoint Online instance via a WPF application.我尝试通过 WPF 应用程序连接到 SharePoint Online 实例。 I have found this article that discribes a possible solution but the problem is that the specific instance has a Active Directory Federation Services (ADFS) in front and I don't know how to get the auth-token.我发现这篇文章描述了一种可能的解决方案,但问题是特定实例前面有一个 Active Directory 联合身份验证服务 (ADFS),我不知道如何获取身份验证令牌。 (I can't create a certificate for my application to authentificate against the adfs.) (我无法为我的应用程序创建证书以针对 adfs 进行身份验证。)
Anyone who have already done this and can support me with some code snippets?任何已经完成此操作并且可以通过一些代码片段支持我的人?
I've played with Fiddler.我玩过提琴手。 Basically the flow goes like this:基本上流程是这样的:
wa=wsignin1.0, wresult=<requestsecuritytokenresponse>…token…</rstr> and wctx=MEST=0&LoginOptions=2&wa=wsignin1%2E0&rpsnv=2&ct=1343219880&rver=6%2E1%2E6206%2E0&wp=MBI&wreply=https%3A%2F%2Fspirit365%2Esharepoint%2Ecom%2F%5Fforms%2Fdefault%2Easpx&id=500046&cbcxt=mai&wlidp=1&guest=1&vv=910&mkt=EN-US&lc=1033&bk=1343219930
将其发布到https://login.microsoftonline.com/login.srf (正文应为wa=wsignin1.0, wresult=<requestsecuritytokenresponse>…token…</rstr> and wctx=MEST=0&LoginOptions=2&wa=wsignin1%2E0&rpsnv=2&ct=1343219880&rver=6%2E1%2E6206%2E0&wp=MBI&wreply=https%3A%2F%2Fspirit365%2Esharepoint%2Ecom%2F%5Fforms%2Fdefault%2Easpx&id=500046&cbcxt=mai&wlidp=1&guest=1&vv=910&mkt=EN-US&lc=1033&bk=1343219930
From that point this is the same as the code here: http://www.wictorwilen.se/Post/How-to-do-active-authentication-to-Office-365-and-SharePoint-Online.aspx从那时起,这与此处的代码相同:http: //www.wictorwilen.se/Post/How-to-do-active-authentication-to-Office-365-and-SharePoint-Online.aspx
I spent a lot of time to finally figure that out.我花了很多时间终于弄明白了。 In order to get the binary Token you need to post a message in the following format to the Microsoft Online Security Token Service (STS) site URL:为了获得二进制令牌,您需要将以下格式的消息发布到 Microsoft Online Security Token Service (STS) 站点 URL:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">[toUrl]</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
[assertion]
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>[url]</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
This message is needed to replace the tokens with the following values:需要此消息来用以下值替换令牌:
[toUrl]: Microsoft Online Security Token Service (STS) site URL. [toUrl]:Microsoft 在线安全令牌服务 (STS) 站点 URL。
[url]: Your SP site URL [url]: 你的 SP 站点 URL
[assertion]: Is assertion XLM token you have got from your Federation service. [断言]:是您从联邦服务获得的断言 XLM 令牌。
After you get the t=...
binary token from the response XML, you can post that to your SP default.aspx
in order to get cookies.从响应 XML 中获取t=...
二进制标记后,您可以将其发布到 SP default.aspx
以获取 cookie。
For anyone with trouble (its really tough), here is some clarrification对于遇到麻烦的人(真的很难),这里有一些澄清
The 4 steps are 1)get the assertion from your SAML IDP 2)trade the assertion for a STS token 3)trade the STS token for cookies 4)use the cookies to do your rest call这 4 个步骤是 1)从您的 SAML IDP 获取断言 2)用断言换取 STS 令牌 3)用 STS 令牌换取 cookie 4)使用 cookie 进行休息调用
For step 1, I have ping federate.对于第 1 步,我有 ping federate。 Use this in postman to post to your token id processor to get an assertion: POST https://pingfederate/idp/sts.wst?TokenProcessorId=username在邮递员中使用它发布到您的令牌 ID 处理器以获取断言:POST https://pingfederate/idp/sts.wst?TokenProcessorId=username
<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:a='http://www.w3.org/2005/08/addressing' xmlns:u='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<s:Header>
<a:Action s:mustUnderstand='1'>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<o:Security s:mustUnderstand='1' xmlns:o='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'>
<o:UsernameToken>
<o:Username>yourusername</o:Username>
<o:Password>yourpass</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t='http://schemas.xmlsoap.org/ws/2005/02/trust'>
<wsp:AppliesTo xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy'>
<wsa:EndpointReference xmlns:wsa='http://www.w3.org/2005/08/addressing'>
<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
It will generate an envelope with the assertion in it.它将生成一个包含断言的信封。 Make sure to copy it in raw format (not pretty xml).确保以原始格式(不是漂亮的 xml)复制它。 Everything from the <saml:Assertion to /saml:Assertion>从 <saml:Assertion 到 /saml:Assertion> 的一切
For step 2, when you POST to https://login.microsoftonline.com/extSTS.srf , make sure the assertion is pasted in raw format (not pretty XML).对于第 2 步,当您 POST 到https://login.microsoftonline.com/extSTS.srf时,请确保以原始格式(不是漂亮的 XML)粘贴断言。
Use:采用:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<saml:Assertion AssertionID="hp4CtHjK_lL" Issue Instant...................../ds:Signature></saml:Assertion>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>https://myshare.sharepoint.com/sites/mysite</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
For step 3, POST to https://myshare.sharepoint.com/_forms/default.aspx?wa=wsignin1.0 and make sure you have the User-Agent be a regular user agent like Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0).对于第 3 步,POST 到https://myshare.sharepoint.com/_forms/default.aspx?wa=wsignin1.0并确保您的 User-Agent 是常规用户代理,例如 Mozilla/5.0(兼容;MSIE 9.0 ;Windows NT 6.1;Win64;x64;Trident/5.0)。 In the body of the post, its going to be everything in the <BinarySecurityToken that was generated by step 2, so something like t=EwDgAk6hBwAUu3......................... Thats the entire body, nothing else.在帖子的正文中,它将是第 2 步生成的 <BinarySecurityToken 中的所有内容,所以类似于 t=EwDgAk6hBwAUu3...... .... 那就是整个身体,没有别的。 It will generate some cookies.它会生成一些cookie。 One is for myshare.sharepoint.com called FedAuth, and another is sharepoint.com rtFa一个用于 myshare.sharepoint.com,称为 FedAuth,另一个用于 sharepoint.com rtFa
Step 4, Once you get the cookies, you can GET your sharepoint list第四步,一旦你得到cookies,你就可以得到你的sharepoint列表
https://myshare.sharepoint.com/sites/mysite/_api/Web/Lists/GetByTitle('Updating%20List%E2%80%8B')/items
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.