Step-by-Step SharePoint Online Authentiaction Process via HTTP Protocol

Here is the step-by-step, behind the scene, authentication process of SharePoint Online. You can use it to connect to SharePoint Online from any Microsoft or Non-Microsoft technology.  It gives you an idea of how things work at the very basic level of HTTP protocol, while authenticating a user in SharePoint Online.

Assumption:

  • User is trying to access a SharePoint resource (e.g. File, list Item) by code, but does not have valid authenticated session.
  • Code needs to authenticate the user to SharePoint Online and needs to receive authentication cookie for future requests.

Process:

Note
Replace “yourdomain.com” with your actual domain as registered on sharepoint.com.
Replace “username” with full username e.g. paul.brooks@mycompany.com

  1. Try to access a resource on your SharePoint Online by sending GET e.g.
    1. GET https://yourdomain.sharepoint.com/
    2. Set Header X-IDCRL_ACCEPTED: t
  2. SharePoint Online server will reply with error
    1. 401 Unauthorized along with following header
    2. WWW-Authenticate: IDCRL Type=”BPOSIDCRL”, EndPoint=”/_vti_bin/idcrl.svc/“, RootDomain=”sharepoint.com”, Policy=”MBI”
  3. The above response means, SharePoint Online is challenging you to first authenticate yourself by a trusted AD (Federation Provider) and then come back again, to provided EndPoint (i.e. /_vti_bin/idcrl.svc) , to get authentication Cookie for future session requests.
  4. Now, to get authenticated, you need to send POST request with your username to https://login.microsoftonline.com/getuserrealm.srf?login=username@yourdomain.com&xml=1
  5. SharePoint Online web server will reply with XML similar to following:
<?xml version="1.0"?><RealmInfo Success="true">
	<State>3</State>
	<UserState>2</UserState>
	<Login>username@yourmain.com</Login>
	<NameSpaceType>Federated</NameSpaceType>
	<DomainName>yourdomain.com</DomainName>
	<FederationGlobalVersion>-1</FederationGlobalVersion>
	<AuthURL>https://sts.yourdomain.com/adfs/ls/</AuthURL>
	<IsFederatedNS>true</IsFederatedNS>
	<STSAuthURL>https://sts.yourdomain.com/adfs/services/trust/2005/usernamemixed</STSAuthURL>
	<FederationTier>0</FederationTier>
	<FederationBrandName>yourdomain.com</FederationBrandName>
	<AllowFedUsersWLIDSignIn>false</AllowFedUsersWLIDSignIn>
	<Certificate>Very Long String Containing your Certificate Information</Certificate>
	<MEXURL>https://sts.yourdomain.com/adfs/services/trust/mex</MEXURL>
	<SAML_AuthURL/>
	<PreferredProtocol>1</PreferredProtocol>
	<EDUDomainFlags>0</EDUDomainFlags>
</RealmInfo>

  1. Retrieve STSAuthURL value in above XML
  2. POST the following XML to above retrieved STSAuthURL e.g. https://sts.yourdomain.com/adfs/services/trust/2005/usernamemixed
    This will contain your username and password for authentication
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wssc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
	<s:Header>
		<wsa:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
		<wsa:To s:mustUnderstand="1">https://sts.yourdomain.com/adfs/services/trust/2005/usernamemixed</wsa:To>
		<wsa:MessageID>GUID in this format 7f60eeb9-db69-4411-b600-b6570dfb0ddf</wsa:MessageID>
		<ps:AuthInfo xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" Id="PPAuthInfo">
			<ps:HostingApp>Managed IDCRL</ps:HostingApp>
			<ps:BinaryVersion>6</ps:BinaryVersion>
			<ps:UIVersion>1</ps:UIVersion>
			<ps:Cookies/>
			<ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:RequestParams>
		</ps:AuthInfo>
		<wsse:Security>
			<wsse:UsernameToken wsu:Id="user">
				<wsse:Username>username@yourdomain.com</wsse:Username>
				<wsse:Password>Password of the user</wsse:Password>
			</wsse:UsernameToken>
			<wsu:Timestamp Id="Timestamp">
				<wsu:Created>2016-03-18T16:26:35.0709397Z</wsu:Created>
				<wsu:Expires>2016-03-18T16:36:35.0719398Z</wsu:Expires>
			</wsu:Timestamp>
		</wsse:Security>
	</s:Header>
	<s:Body>
		<wst:RequestSecurityToken Id="RST0">
			<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
			<wsp:AppliesTo>
				<wsa:EndpointReference>
					<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
				</wsa:EndpointReference>
			</wsp:AppliesTo>
			<wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
		</wst:RequestSecurityToken>
	</s:Body>
</s:Envelope>
  1. Server will reply with the following XML, if you have valid username and password. Following contains the SAML security token
  2. You will note that <a:RelatesTo> node contains the same GUID which you passed as MessageID in the Request

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<s:Header>
		<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</a:Action>
		<a:RelatesTo>7f60eeb9-db69-4411-b600-b6570dfb0ddf</a:RelatesTo>
		<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
			<u:Timestamp u:Id="_0">
				<u:Created>2016-03-18T16:27:39.529Z</u:Created>
				<u:Expires>2016-03-18T16:32:39.529Z</u:Expires>
			</u:Timestamp>
		</o:Security>
	</s:Header>
	<s:Body>
		<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
			<t:Lifetime>
				<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-03-18T16:27:39.523Z</wsu:Created>
				<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-03-18T17:27:39.523Z</wsu:Expires>
			</t:Lifetime>
			<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
				<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
					<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
				</wsa:EndpointReference>
			</wsp:AppliesTo>
			<t:RequestedSecurityToken>
				<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_b73fceb0-XXXX-4f70-98e0-ad664d27afc9" Issuer="http://yourdomain.com/adfs/services/trust/" IssueInstant="2016-03-18T16:27:39.529Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
					<saml:Conditions NotBefore="2016-03-18T16:27:39.523Z" NotOnOrAfter="2016-03-18T17:27:39.523Z">
						<saml:AudienceRestrictionCondition>
							<saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
						</saml:AudienceRestrictionCondition>
					</saml:Conditions>
					<saml:AttributeStatement>
						<saml:Subject>
							<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">yFcXXXXC9kS3vGXgpnSyNw==</saml:NameIdentifier>
							<saml:SubjectConfirmation>
								<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
							</saml:SubjectConfirmation>
						</saml:Subject>
						<saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims">
							<saml:AttributeValue>username@yourdomain.com</saml:AttributeValue>
						</saml:Attribute>
						<saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05">
							<saml:AttributeValue>yFcXXXXC9kS3vGXgpnSyNw==</saml:AttributeValue>
						</saml:Attribute>
					</saml:AttributeStatement>
					<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2016-03-18T16:27:39.520Z">
						<saml:Subject>
							<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">yFcXXXXC9kS3vGXgpnSyNw==</saml:NameIdentifier>
							<saml:SubjectConfirmation>
								<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
							</saml:SubjectConfirmation>
						</saml:Subject>
					</saml:AuthenticationStatement>
					<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
						<ds:SignedInfo>
							<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
							<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
							<ds:Reference URI="#_b73fceb0-c9e9-XXXX-98e0-ad664d27afc9">
								<ds:Transforms>
									<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
									<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
								</ds:Transforms>
								<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
								<ds:DigestValue>NK0XXXXapBi+LwTyIXiicj5rfsc=</ds:DigestValue>
							</ds:Reference>
						</ds:SignedInfo>
						<ds:SignatureValue>Very long string as Signature</ds:SignatureValue>
						<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
							<X509Data>
								<X509Certificate>Very Long String as Certificate Data</X509Certificate>
							</X509Data>
						</KeyInfo>
					</ds:Signature>
				</saml:Assertion>
			</t:RequestedSecurityToken>
			<t:RequestedAttachedReference>
				<o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
					<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_b73XXXX0-c9e9-4f70-98e0-ad664d27afc9</o:KeyIdentifier>
				</o:SecurityTokenReference>
			</t:RequestedAttachedReference>
			<t:RequestedUnattachedReference>
				<o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
					<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_b7XXXeb0-c9e9-4f70-98e0-ad664d27afc9</o:KeyIdentifier>
				</o:SecurityTokenReference>
			</t:RequestedUnattachedReference>
			<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
			<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
			<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
		</t:RequestSecurityTokenResponse>
	</s:Body>
</s:Envelope>

  1. Extract saml:Assertion node from t:RequestedSecurityToken
  2. POST following XML to https://login.microsoftonline.com/RST2.srf
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<s:Header>
		<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</a:Action>
		<a:RelatesTo>7f6XXXb9-db69-4411-b600-b6570dfb0ddf</a:RelatesTo>
		<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
			<u:Timestamp u:Id="_0">
				<u:Created>2016-03-18T16:27:39.529Z</u:Created>
				<u:Expires>2016-03-18T16:32:39.529Z</u:Expires>
			</u:Timestamp>
		</o:Security>
	</s:Header>
	<s:Body>
		<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
			<t:Lifetime>
				<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-03-18T16:27:39.523Z</wsu:Created>
				<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-03-18T17:27:39.523Z</wsu:Expires>
			</t:Lifetime>
			<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
				<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
					<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
				</wsa:EndpointReference>
			</wsp:AppliesTo>
			<t:RequestedSecurityToken>
				<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_b7XXXeb0-c9e9-4f70-98e0-ad664d27afc9" Issuer="http://yourdomain.com/adfs/services/trust/" IssueInstant="2016-03-18T16:27:39.529Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
					<saml:Conditions NotBefore="2016-03-18T16:27:39.523Z" NotOnOrAfter="2016-03-18T17:27:39.523Z">
						<saml:AudienceRestrictionCondition>
							<saml:Audience>urn:federation:MicrosoftOnline</saml:Audience>
						</saml:AudienceRestrictionCondition>
					</saml:Conditions>
					<saml:AttributeStatement>
						<saml:Subject>
							<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">yFcXXX6C9kS3vGXgpnSyNw==</saml:NameIdentifier>
							<saml:SubjectConfirmation>
								<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
							</saml:SubjectConfirmation>
						</saml:Subject>
						<saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims">
							<saml:AttributeValue>username@yourdomain.com</saml:AttributeValue>
						</saml:Attribute>
						<saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05">
							<saml:AttributeValue>yFcXXXXC9kS3vGXgpnSyNw==</saml:AttributeValue>
						</saml:Attribute>
					</saml:AttributeStatement>
					<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2016-03-18T16:27:39.520Z">
						<saml:Subject>
							<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">yFcXXXXC9kS3vGXgpnSyNw==</saml:NameIdentifier>
							<saml:SubjectConfirmation>
								<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
							</saml:SubjectConfirmation>
						</saml:Subject>
					</saml:AuthenticationStatement>
					<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
						<ds:SignedInfo>
							<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
							<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
							<ds:Reference URI="#_b73XXXb0-c9e9-4f70-98e0-ad664d27afc9">
								<ds:Transforms>
									<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
									<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
								</ds:Transforms>
								<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
								<ds:DigestValue>NKXXXXsapBi+LwTyIXiicj5rfsc=</ds:DigestValue>
							</ds:Reference>
						</ds:SignedInfo>
						<ds:SignatureValue>Very long string as Signature</ds:SignatureValue>
						<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
							<X509Data>
								<X509Certificate>Very Long String as Certificate Data</X509Certificate>
							</X509Data>
						</KeyInfo>
					</ds:Signature>
				</saml:Assertion>
			</t:RequestedSecurityToken>
			<t:RequestedAttachedReference>
				<o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
					<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_b7XXXeb0-c9e9-4f70-98e0-ad664d27afc9</o:KeyIdentifier>
				</o:SecurityTokenReference>
			</t:RequestedAttachedReference>
			<t:RequestedUnattachedReference>
				<o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
					<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_b7XXXeb0-c9e9-4f70-98e0-ad664d27afc9</o:KeyIdentifier>
				</o:SecurityTokenReference>
			</t:RequestedUnattachedReference>
			<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
			<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
			<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
		</t:RequestSecurityTokenResponse>
	</s:Body>
</s:Envelope>
  1. Server Returns following XML and sets following Cookies
    1. SASession=; expires=Thu, 30-Oct-1980 16:00:00 GMT;domain=login.microsoftonline.com;secure= ;path=/;HTTPOnly= ;version=1
    2. x-ms-gateway-slice=orgidprod; path=/; secure; HttpOnly
    3. stsservicecookie=orgidprod; path=/; secure; HttpOnly
    4. Compact Policy token is present. A trailing ‘o’ means opt-out, a trailing ‘i’ means opt-in.
    5. P3P Header is also sent as follows CP=”DSP CUR OTPi IND OTRi ONL FIN”
<?xml version="1.0" encoding="utf-8" ?>
<S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsa="http://www.w3.org/2005/08/addressing">
 <S:Header>
 <wsa:Action xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Action" S:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue</wsa:Action>
 <wsa:To xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="To" S:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
 <wsse:Security S:mustUnderstand="1">
 <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="TS">
 <wsu:Created>2016-03-18T16:27:40Z</wsu:Created>
 <wsu:Expires>2016-03-18T16:32:40Z</wsu:Expires>
 </wsu:Timestamp>
 </wsse:Security>
 </S:Header>
 <S:Body>
 <wst:RequestSecurityTokenResponse xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:psf="http://schemas.microsoft.com/Passport/SoapServices/SOAPFault">
 <wst:TokenType>urn:passport:compact</wst:TokenType>
 <wsp:AppliesTo xmlns:wsa="http://www.w3.org/2005/08/addressing">
 <wsa:EndpointReference>
 <wsa:Address>sharepoint.com</wsa:Address>
 </wsa:EndpointReference>
 </wsp:AppliesTo>
 <wst:Lifetime>
 <wsu:Created>2016-03-18T16:27:40Z</wsu:Created>
 <wsu:Expires>2016-03-19T00:27:40Z</wsu:Expires>
 </wst:Lifetime>
 <wst:RequestedSecurityToken>
 <wsse:BinarySecurityToken Id="Compact0">Very Long String to represent Binary Security Token</wsse:BinarySecurityToken>
 </wst:RequestedSecurityToken>
 <wst:RequestedAttachedReference>
 <wsse:SecurityTokenReference>
 <wsse:Reference URI="OaBXXXX6kZOe7k9C3MR1SdlN/x0="/>
 </wsse:SecurityTokenReference>
 </wst:RequestedAttachedReference>
 <wst:RequestedUnattachedReference>
 <wsse:SecurityTokenReference>
 <wsse:Reference URI="OaXXXX46kZOe7k9C3MR1SdlN/x0="/>
 </wsse:SecurityTokenReference>
 </wst:RequestedUnattachedReference>
 </wst:RequestSecurityTokenResponse>
 </S:Body>
</S:Envelope>
  1. Extract the value of
    wsse:BinarySecurityToken [ Id=Compact0 ]

    from above returned XML response

  2. Send following GET request to
    https://yourdomain.sharepoint.com/_vti_bin/idcrl.svc

    after setting following Request Header X-IDCRL_ACCEPTED: t

    1. Authorization: BPOSIDCRL Add the above extracted value of  wsse:BinarySecurityToken [ Id=Compact0 ]
  3. Server will respond to set the special cookie called SPOIDCRL along with P3P policy header. This is the cookie which SharePoint Online will check in all requests, to make sure that your request is coming from an authenticated client. Sample raw response response is as follows:
HTTP/1.1 200 OK
 Cache-Control: private
 Server: Microsoft-IIS/8.5
 X-SharePointHealthScore: 0
 X-AspNet-Version: 4.0.30319
 Set-Cookie: SPOIDCRL=Base64 Encoded String containing membership info and some other information; path=/; secure; HttpOnly
 SPRequestGuid: a9cb699d-60de-2000-1f64-ddad45389266
 request-id: a9cb699d-60de-2000-1f64-ddad45389266
 Strict-Transport-Security: max-age=31536000
 X-FRAME-OPTIONS: SAMEORIGIN
 SPRequestDuration: 132
 SPIisLatency: 0
 X-Powered-By: ASP.NET
 MicrosoftSharePointTeamServices: 16.0.0.5104
 X-Content-Type-Options: nosniff
 X-MS-InvokeApp: 1; RequireReadOnly
 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
 Date: Fri, 18 Mar 2016 16:27:39 GMT
 Content-Length: 0

 

  1. Send this Cookie with all other future SharePoint requests.
Share