we using okta idp microsoft office 365 , php based web application. php need rest api calls fetch sharepoint content using okta authentication token authentication.
so per http://www.threewill.com/wp-content/uploads/msonlineauthentication.png, possible send saml assertions microsoft online sts auth token, can used authentication cookies sharepoint. when pass okta assertion microsoft online sts, raising websso invalid assertion. not find exact reason why assertion not valid.
the soap envelop used send microsoft online sts is
<s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <s:header> <a:action s:mustunderstand="1"> http://schemas.xmlsoap.org/ws/2005/02/trust/rst/issue </a:action> <a:replyto> <a:address>http://www.w3.org/2005/08/addressing/anonymous</a:address> </a:replyto> <a:to s:mustunderstand="1">https://login.microsoftonline.com/extsts.srf</a:to> <o:security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:saml2p="urn:oasis:names:tc:saml:2.0:protocol" xmlns:xs="http://www.w3.org/2001/xmlschema" s:mustunderstand="1"> <o:securitytokenreference xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion"> <o:embedded> <saml2:assertion xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" xmlns:xs="http://www.w3.org/2001/xmlschema" id="id29170470933790951475177561" issueinstant="2015-04-27t22:35:53.492z" version="2.0"> <saml2:issuer xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" format="urn:oasis:names:tc:saml:2.0:nameid-format:entity">http://www.okta.com/issueid</saml2:issuer> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:signedinfo> <ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:reference uri="#id29170470933790951475177561"> <ds:transforms> <ds:transform algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:inclusivenamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" prefixlist="xs"/> </ds:transform> </ds:transforms> <ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:digestvalue>...</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue> ... </ds:signaturevalue> <ds:keyinfo> <ds:x509data> <ds:x509certificate> ... </ds:x509certificate> </ds:x509data> </ds:keyinfo> </ds:signature> <saml2:subject xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion"> <saml2:nameid format="urn:oasis:names:tc:saml:2.0:nameid-format:transient">email@example.com</saml2:nameid> <saml2:subjectconfirmation method="urn:oasis:names:tc:saml:2.0:cm:bearer"> <saml2:subjectconfirmationdata inresponseto="" notonorafter="2015-04-27t22:40:53.492z" recipient=""/> </saml2:subjectconfirmation> </saml2:subject> <saml2:conditions xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" notbefore="2015-04-27t22:30:53.492z" notonorafter="2015-04-27t22:40:53.492z"> <saml2:audiencerestriction> <saml2:audience>...</saml2:audience> </saml2:audiencerestriction> </saml2:conditions> <saml2:authnstatement xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" authninstant="2015-04-27t22:35:53.492z" sessionindex=""> <saml2:authncontext> <saml2:authncontextclassref> urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport </saml2:authncontextclassref> </saml2:authncontext> </saml2:authnstatement> <saml2:attributestatement xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion"> <saml2:attribute name="uid" nameformat="urn:oasis:names:tc:saml:2.0:attrname-format:unspecified"> <saml2:attributevalue xmlns:xs="http://www.w3.org/2001/xmlschema" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:type="xs:string">email@example.com</saml2:attributevalue> </saml2:attribute> </saml2:attributestatement> </saml2:assertion> </o:embedded> </o:securitytokenreference> </o:security> </s:header> <s:body> <t:requestsecuritytoken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"> <wsp:appliesto xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <a:endpointreference> <a:address/> </a:endpointreference> </wsp:appliesto> <t:keytype> http://schemas.xmlsoap.org/ws/2005/05/identity/noproofkey </t:keytype> <t:requesttype>http://schemas.xmlsoap.org/ws/2005/02/trust/issue</t:requesttype> <t:tokentype>urn:oasis:names:tc:saml:2.0:assertion</t:tokentype> </t:requestsecuritytoken> </s:body> </s:envelope>
