Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

SSO with microsoftonline.com

ILGUIZ LATYPOV Jun 10, 2019 10:58PM UTC

I see an SSO mechanism relying on enterprise Office.com integration.

A GET with (expired or logged out) Office and local app cookies to a local app's __LOCAL_SITE__/__LOCAL_PATH__ gets a 302 redirect to Microsoft,

https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/authorize?client_id=YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY&redirect_uri=https%3A%2F%2F__LOCAL_SITE___%2F__LOCAL_PATH__%2F&response_mode=form_post&response_type=code%20id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3D250_3_OGW7SgmZZZZZ_9GlZZZZZZZy3-DZZZZJ_TZZZZl-cZZZZ7_6ZZZZZZZZZZZZZZZZo-owlCZZZZZZZZZZZZZZZZZZZZZZZZZgAXa-bZZZZZZZZZZZZZZZZZZZZZZZZZZ6&nonce=63999999999974.OGWWWWWWWWWWzMy&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0

followed by a selection of the enterprise account in the picker that results in a POST to

https://login.microsoftonline.com/common/GetCredentialType?mkt=en-CA
with a JSON request body,

checkPhones false
country CA
flowToken AQXXXXXe-7FXXXXXF5-QXC-aXXXEI_6XXXEo_cXZ_cXXXXL-3XXXXXXA
forceotclogin false
isCookieBannerShown false
isExternalFederationDisallowed false
isFidoSupported false
isOtherIdpSupported false
isRemoteConnectSupported false
isRemoteNGCSupported true
originalRequest rQIIAUXXXXXGm-XXXX....rP4C0
username USER@ENTERPRISE_OFFICE_DOMAIN.com

This prompts for the enterprise office credentials, entering which sends a POST to

https://ENTERPRISE_SSO.com/adfs/ls/?client-request-id=67XXXX78-6XX6-4XX2-8XX7-dXXXX5&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=LoginOptions%3D3%26estsredirect%3d2%26estsrequest%3drXXXKk_fLXXXL_1XXX7H_vXXX8-BXXXb_46XXXSiro_0uXXXf8-PXXH_mXXXXi_vXXXWG_D5XXX5-SXXX4-sXXX0T-HXXXxb-FXXXH_cfXXX6-KHXXXX81&cbcxt=&username=USER%40ENTERPRISE_OFFICE_DOMAIN.com&mkt=&lc=

with a www-form-urlencoded body

client-request-id 67XXXX78-6XX6-4XX2-8XX7-ddXXXXXXf5
wa wsignin1.0
wtrealm urn:federation:MicrosoftOnline
wctx LoginOptions=3&estsredirect=2&estsrequest=rQIIAUXXXKk_fLXXXL_1NXXXX7H_vXXX8-BXXXb_46XXXSiro_0uXXXe-SYXXX8-PXXH_mXXXXXi_vXXXJWG_DXXXX5-SXXX4-sXXXT-HXXXb-FXXXXH_cfXXX6-KXXXXX_qXXXX81
cbcxt
username USER@ENTERPRISE_OFFICE_DOMAIN.com
mkt
lc


This is followed by a POST to ttps://login.microsoftonline.com/login.srf
with www-form-urlencoded parameters,

wa wsignin1.0
wresult <t:RequestSecurityTokenResponse+xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created+xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-06-10T22:42:54.357Z</wsu:Created><wsu:Expires+xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2019-06-10T23:42:54.357Z</wsu:Expires></t:Lifetime><wsp:AppliesTo+xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference+xmlns:wsa="htt…20XXXXJ+fnXXX3+NXXv/bXXo/xX1/O6XXf/kXXXX0</X509Certificate></X509Data></KeyInfo></ds:Signature></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>
wctx LoginOptions=3&estsredirect=2&estsrequest=rQIIAXXXXXXXX81

Finally, a POST to __LOCAL_SITE__/__LOCAL_PATH__ with parameters,

code AQABXXXXAA
id_token eyXXXXXXXXuQ
state OpenIdConnect.AuthenticationProperties=250_3_OGWXXXXbY_9GXXXdy3-DXXXJ_TXXXXl-cXXX7_6XXXXo-owlXXXa-bXXXXYMP6
session_state 4XXX11-7XXb-4XX2-9XX0-0XXXa8


A logout redirects to Microsoft,

https://login.microsoftonline.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2F___LOCAL_SITE___%2F___LOCAL_PATH___%2F&x-client-SKU=ID_NET461&x-client-ver=5.4.0.0


ILGUIZ LATYPOV Jun 10, 2019 11:03PM UTC
Having a small headless browser in BURP could probably catch redirects to login.microsoftonline.com, select the predefined user account (by its email address), enter predefined user credentials and follow back-and-forth with the enterprise's SSO server and Microsoft and back to the application. Whew.

Liam Tai-Hogan Jun 11, 2019 03:23PM UTC Support Center agent

Thanks for your request Ilguiz. We have this support for crawling O-Auth or single sign on (SSO) authentication based applications in our development backlog. Unfortunately, we can’t provide an ETA.


Post Your public answer

Your name
Your email address
Answer