One of the trickiest thing I came across last couple of days is to run my console application using CSOM to connect to a SAML Authenticated SharePoint site. In my case the authentication provider was CA SiteMinder. There are many techniques to connect to SAML authenticated sites using CSOM. Below are some of them which I came across:
- S2S High trust Desktop Add-in: Yes, you read it right a console app (or any other desktop application) can be configured to connect to SharePoint site similar to a Provider hosted Add-in. The only difference is that there will be no Httpcontext in this application. Most of the steps involved in the configuration (except setting up of IIS website) is similar to creating a S2S high trust provider hosted add-in. We could do all this because of Authentication champion Steve Peschka . Please check out his blog Desktop SharePoint Apps for SAML Secured SharePoint Sites .
- ADFS targeted applications: You can use this method if your SharePoint set up uses ADFS as the claim provider. Below are the main steps involved in this:
- From the console application, make a request to ADFS with username and password of the user.The endpoint that’s being used is the trust/13/usernamemixed endpoint which is available and enabled by default on ADFS v2.0.
- The ADFS will authenticate the user and return back SAML token of the user.
- Now from the console application, wrap this SAML token in a WS-Federation message and send it to the SharePoint Security Token Service (STS) configured at https://sharepointsiteURL/_trust/default.aspx.
- The STS will now return FedAuth cookie to the console application. Inject this FedAuth in every CSOM request.
You can check these blog posts on this technique.
Steve Peschka’s Blog
Consuming a web service with Claims Based Authentication and ADFS programmatically
Also now o365 PNP has now included an AuthenticationManager class which is very easy to implment in your code , if you have ADFS2.0 set up. Check PnP Saml Authentication Manager
3. Browser Authentication in Console application: This technique can be used for all the scenarios irrespective of the Claim provider used ie ADFS , SiteMinder,PingIdentity or any any other SAML auth provider. The flow of this approach can be summarized as below:
- Console application will generate a System.Windows.Forms.WebBrowser form session (a small browser window) and will automatically take you to the SharePoint site login page.
- Enter the username and password in the form and login to the site.
- Now all the authentication mechanism will be taken care by SharePoint set up and finally once you are authenticated , you will get your FedAuth cookie.
- The browser can be auto closed once FedAuth cookie is generated.
- This cookie is captured by the Console application and injected into all CSOM requests.