Console application for SAML authenticated SharePoint 2013 sites

One of the trickiest thing I came across last couple of days is to run my console application using CSOM  to connect to a SAML Authenticated SharePoint site. In my case the authentication provider was CA SiteMinder.  There are many techniques to connect to SAML authenticated sites using CSOM. Below are some of them which I came across:

  1. S2S High trust Desktop Add-in: Yes, you read it right a console app (or any other desktop application) can be configured to connect to SharePoint site similar to a Provider hosted Add-in. The only difference is that there will be no Httpcontext in this application. Most of the steps involved in the configuration (except setting up of IIS website) is similar to creating a S2S high trust provider hosted add-in. We could do all this because of Authentication champion Steve Peschka .  Please check out his blog Desktop SharePoint Apps for SAML Secured SharePoint Sites .
  2. ADFS targeted applications: You can use this method if your SharePoint set up uses ADFS as the claim provider. Below are the main steps involved in this:
  • From the console application, make a request to ADFS with username and password of the user.The endpoint that’s being used is the trust/13/usernamemixed endpoint which is available and enabled by default on ADFS v2.0.
  • The ADFS will authenticate the user and return back SAML token of the user.
  • Now from the console application, wrap this SAML token in a WS-Federation message and send it to the SharePoint Security Token Service (STS) configured at https://sharepointsiteURL/_trust/default.aspx.
  • The STS will now return FedAuth cookie to the console application. Inject this FedAuth in every CSOM request.

You can check these blog posts on this technique.

Steve Peschka’s Blog
Consuming a web service with Claims Based Authentication and ADFS programmatically
Also now o365 PNP has now included an AuthenticationManager class which is very easy to implment in your code , if you have ADFS2.0 set up. Check PnP Saml Authentication Manager
3. Browser Authentication in Console application: This technique can be used for all the scenarios irrespective of the Claim provider  used ie  ADFS , SiteMinder,PingIdentity or any any other SAML auth provider. The flow of this approach can be summarized as below:

  • Console application will generate a System.Windows.Forms.WebBrowser form session (a small browser window) and will automatically take you to the SharePoint site login page.
  • Enter the username and password in the form and login to the site.
  • Now all the authentication mechanism will be taken care by SharePoint set up and finally once you are authenticated , you will get your FedAuth cookie.
  • The browser can be auto closed once FedAuth cookie is generated.
  • This cookie is captured by the Console application and injected into all CSOM requests.

5 thoughts on “Console application for SAML authenticated SharePoint 2013 sites

  1. About the third method:
    We have set the cookie timeout value to 20 minutes on SharePoint server for STS. So now when this code is used for some processing on the site which take more than this 20 minutes, I start getting error “The remote server returned an error: (401) Unauthorized.”. Any suggestions on how to re-generate the authentication cookies once we get this error. I have tried calling the same method again to get the new instance of the ClientContext object but that does not seem to be working. It opens the browser window and this time instead of collecting the cookie and closing the window it remains opened with the my SharePoint site completely loaded in it.
    Any suggestion? Thanks in advanced

  2. Did you try to trace what is the difference between the flow when the browser opens for the first time and when it opens for second time when the cookie expires? Also, since you are saying that second time the browser remains opened with SharePoint site loaded in it –> This gives me a clue that cookie is still not expired in the browser session and you are not redirected by SP to IDP for re-authentication.

    1. Thank you very much for your help. Could be possible to refresh the FedAuth cookie without logging in again? I have a long process and I would need to run it unattended for several hours.
      Thanks again.

  3. Sorry, but that’s not an option. We have a console application uploading files. During 20 minutes is working fine, but it fails after cookie has expired, so we are trying to refresh cookie.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s