Connect to SharePoint with Federated Authentication
This section explains how to connect to a SharePoint server that uses federated authentication.
Federated Authentication with SharePoint Online
When the connector is configured to retrieve data from SharePoint Online, it makes a request to Microsoft Online (https://login.microsoftonline.com/GetUserRealm.srf) to determine if the SharePoint Online instance uses federated authentication. If the SharePoint Online instance uses federated authentication, the response can contain up to two authentication endpoints that the connector can use to authenticate. These are at the following locations in the XML response:
/RealmInfo/AuthURL
- This endpoint is used by default. The connector useshttps://AuthURLHost/adfs/services/trust/2005/usernamemixed/
as the ADFS proxy to authenticate with SharePoint Online./RealmInfo/STSAuthURL
- To use this endpoint as the ADFS proxy to authenticate with SharePoint Online, set the parameterSharePointOnlineFederatedAuthUseSTSUrl
totrue
. Use this option when the default endpoint is not available.
A common indicator that you need to set the parameter SharePointOnlineFederatedAuthUseSTSUrl
is the following error appearing in the connector logs: “Sign in failed using corporate credentials: The remote server returned an error: (404) Not Found”.
Federated Authentication with SharePoint On-Premise
To retrieve information from an on-site SharePoint server with federated authentication, you must specify the details of the federation servers to use to authenticate with SharePoint:
- Use the
Username
andPassword
configuration parameters to specify the credentials to use to authenticate with the federation server. - Set
FederatedAuthStsUrl
to the URL of the security token service (STS) endpoint of the federation server. Common examples includeFederatedAuthStsUrl=https://login-mydomain.com/idp/sts.wst
andFederatedAuthStsUrl=https://login-mydomain.com/adfs/services/trust/2005/usernamemixed/
. Use an STS active client endpoint, because these are intended for clients that are services (where no user is present). - Set
FederatedAuthSharepointStsUrn
to the URN of the SharePoint server to use in the Request Security Token (RST) message sent to the security token service (STS) endpoint. For example,FederatedAuthSharepointStsUrn=urn:sharepoint:myinstance
.
In most environments, this is all you need to do. However, in some scenarios you might need to configure the WS-Federation passive protocol URL for the SharePoint server. The usual WS-Federation passive protocol URL can be constructed by appending /_trust/
to the URL of the Web Application or Site Collection that the connector has been configured to process, and if this is the case then no further configuration is needed. If the WS-Federation passive protocol URL for the SharePoint server is not at this location, then use the configuration parameter FederatedAuthSharepointTrustUrl
to specify the WS-Federation passive protocol URL, for example FederatedAuthSharepointTrustUrl=http://sharepoint/_trust/
.