Authenticating SharePoint Online 2013 from a .NET Application

Dream. Dare. Do – that is Suyati’s work principle in a nutshell.

Dec
31
2013
  • Author:
  • Bisileesh Bhaskaran

Recently I got a requirement from one of our clients to develop a .NET Application that communicates with SharePoint online 2013.Since I am a newbie to SharePoint Online, I wasn’t quite sure about the way I have to authenticate the .NET app with SharePoint online 2013.And the resources were limited regarding the programmatic authentication. After spending some good time “googling” and brainstorming with few SharePoint experts in my organization, I implemented the authentication module.

And here’s the story: “How I did it”?

Claims based authentication:

SharePoint online 2013 makes use of claims based authentication.

What is this claims based authentication again?

The whole idea of claims based authentication is to free up the application from the hardship of authentication. And this is completely different from the classic “username”,” password” authentication mechanism, where the burden of authentication is been handled by the application itself.

The term Claim stands for “state or assert that something is the case, typically without providing evidence or proof”.

Claims based authentication also deals with the same idea. An identity provider/security token service issues security token for an application or service by validating credentials passed to it and these security token consist of claims in it.

And these “claims” are used for data access API’s and web services by the Relying Party/Application.

So what actually happens in claims based authentication?

  • User sends a request to access the application
  • The application sends request for token to the Identity provider (Security token service)
  • Identity provider authenticates the user
  • Gets information about the user
  • Creates the authentication token
  • Returns the authentication token to the user

The application processes the claims information from the token to check whether the user is allows to access the application or not.

A diagrammatic representation for the same is as follows:

Use of claims based authentication in SharePoint online 2013:

Now let us see how does claims based authentication works in the SharePoint online context.
A diagrammatic representation for the same is as follows:

Here the replying party is the .NET application. And Microsoft Online Security Token service is the Identity provider. Now let’s go through the steps involved in the authentication.

Step 1: Request token

Microsoft Online Security Token service is the identity provider for SharePoint online.

And it’s located at:
https://login.microsoftonline.com/extSTS.srf

To get the token from Microsoft online, STS application needs to POST a request to the above URL with valid credentials by using SAML 1.1 protocol (http://en.wikipedia.org/wiki/SAML_1.1).

Step 2: Get SAML Response

If the authentication is successful, the STS return a SAML response to the application which looks like the following:

Parse the response to get the security token from it.

Step 3: Send security token to SharePoint Online

POST the security token to SharePoint online
(http(s)://yourdomain.sharepoint.com/_forms/default.aspx?wa=wsignin1.0)

Once the security token is been validated by the SPO, it will return two cookies in the HTTP Header.
This includes FedAuth and rtFa.

Step 4: send requests to SPO with FedAuth and rtFa

Now pass these two cookies along with each request to SPO for a page or a resource or any web service.

Thus by accomplishing the above steps you will be able to authenticate your application against SharePoint online.

You can find a working .NET sample code that connects to SharePoint online from this blog post by Wictor Wilén.

Thanks to the information from:

“Headless” Authentication with SharePoint Online and the Client Side Object Model

Claim Based Authentication and WIF

Image Credits: CodeProject and WictorWilén.se

Leave a Comment

Your email address will not be published. Required fields are marked *