How to Pass Okta Assertion to microsoft STS to get the auth token

Question

We are using Okta as IDP for Microsoft Office 365 and a PHP based web application. From PHP we need to do REST API calls to fetch the sharepoint content by using Okta Authentication Token for authentication.

So as per the http://www.threewill.com/wp-content/uploads/MSOnlineAuthentication.png, it is possible to send SAML assertions to Microsoft online STS to get the auth token, which can be used to get the authentication cookies from sharepoint. When we pass Okta assertion to Microsoft online STS, it is raising WebSSO invalid assertion. Could not find the exact reason why the assertion is not valid.

The SOAP Envelop used to send to microsoft online STS is

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://login.microsoftonline.com/extSTS.srf</a:To>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" s:mustUnderstand="1">
<o:SecurityTokenReference xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<o:Embedded>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="id29170470933790951475177561" IssueInstant="2015-04-27T22:35:53.492Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/issueID</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id29170470933790951475177561">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
...
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">email@example.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="" NotOnOrAfter="2015-04-27T22:40:53.492Z" Recipient=""/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" NotBefore="2015-04-27T22:30:53.492Z" NotOnOrAfter="2015-04-27T22:40:53.492Z">
<saml2:AudienceRestriction>
<saml2:Audience>...</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" AuthnInstant="2015-04-27T22:35:53.492Z" SessionIndex="">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">email@example.com</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</o:Embedded>
</o:SecurityTokenReference>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address/>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>
http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey
</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>

hey @praju can you share the Request XML you sent to Ping to get the saml assertion as part of this question? — Nicholas DiPiazza, Apr 30 '18 at 20:15

score 0 · Answer 1 · answered Apr 30 '18 at 20:08

Up until very recently, this was an undocumented mess.

But someone in SharePoint engineering finally made a worthy blog about it here: https://blogs.technet.microsoft.com/sharepointdevelopersupport/2018/02/07/sharepoint-online-active-authentication/

This blog provides a powershell script that can obtain the SPOIDCRL cookie for a user (which "logs you in" as that user when making requests to SharePoint).

Here is the powershell from that blog in a Gist: https://gist.github.com/nddipiazza/1a810cd6f94782760933163b077dade7

So look at that powershell's Get-BinarySecurityToken method. that will show you how to convert your saml assertion into binary search token. then follow the codepath for how to convert that binary search token into SPOIDCRL cookie and you are ready to go!

How to Pass Okta Assertion to microsoft STS to get the auth token

1 Answers1