Connect to SharePoint with Federated Authentication

This section explains how to connect to a SharePoint server that uses federated authentication.

Federated Authentication with SharePoint Online

When the connector is configured to retrieve data from SharePoint Online, it makes a request to Microsoft Online (https://login.microsoftonline.com/GetUserRealm.srf) to determine if the SharePoint Online instance uses federated authentication. If the SharePoint Online instance uses federated authentication, the response can contain up to two authentication endpoints that the connector can use to authenticate. These are at the following locations in the XML response:

  • /RealmInfo/AuthURL - This endpoint is used by default. The connector uses https://AuthURLHost/adfs/services/trust/2005/usernamemixed/ as the ADFS proxy to authenticate with SharePoint Online.
  • /RealmInfo/STSAuthURL - To use this endpoint as the ADFS proxy to authenticate with SharePoint Online, set the parameter SharePointOnlineFederatedAuthUseSTSUrl to true. Use this option when the default endpoint is not available.

A common indicator that you need to set the parameter SharePointOnlineFederatedAuthUseSTSUrl is the following error appearing in the connector logs: “Sign in failed using corporate credentials: The remote server returned an error: (404) Not Found”.

Federated Authentication with SharePoint On-Premise

To retrieve information from an on-site SharePoint server with federated authentication, you must specify the details of the federation servers to use to authenticate with SharePoint:

  • Use the Username and Password configuration parameters to specify the credentials to use to authenticate with the federation server.
  • Set FederatedAuthStsUrl to the URL of the security token service (STS) endpoint of the federation server. Common examples include FederatedAuthStsUrl=https://login-mydomain.com/idp/sts.wst and FederatedAuthStsUrl=https://login-mydomain.com/adfs/services/trust/2005/usernamemixed/. Use an STS active client endpoint, because these are intended for clients that are services (where no user is present).
  • Set FederatedAuthSharepointStsUrn to the URN of the SharePoint server to use in the Request Security Token (RST) message sent to the security token service (STS) endpoint. For example, FederatedAuthSharepointStsUrn=urn:sharepoint:myinstance.

In most environments, this is all you need to do. However, in some scenarios you might need to configure the WS-Federation passive protocol URL for the SharePoint server. The usual WS-Federation passive protocol URL can be constructed by appending /_trust/ to the URL of the Web Application or Site Collection that the connector has been configured to process, and if this is the case then no further configuration is needed. If the WS-Federation passive protocol URL for the SharePoint server is not at this location, then use the configuration parameter FederatedAuthSharepointTrustUrl to specify the WS-Federation passive protocol URL, for example FederatedAuthSharepointTrustUrl=http://sharepoint/_trust/.