OK, here goes.
In a nutshell, I want a single sign on key so that I can forward a user to a Microsoft 365 domain and log them in automatically using a token of some kind. It's a single sign on key - it's not auto discovery or cross-domain policy configurations. It's a simple"Create your Single Sign on key request and pass it into login page" situation.
Environment
----------------------
> Firstly, there is no Active Directory involved here
> We are a medium business. We've signed up to Office 365 for the online service. We only ever access the service via the internet.
> We have a CMS on a completely different cloud-based server. It's Apache and PHP. No ASP, no .NET, no Active Directory.
I have been able to use PHP, cURL and SOAP to connect successfully to Exchange Web Services and SharePoint Online Services using REST. For SharePoint Online I have authenticated using Claims-Based Authentication. This means I have the FedAuth and the rtFa cookies to hand to make requests.
How we integrate:
----------------------------
> Our users log into our CMS.
> We've created an "Office 365" widget. All it does is show them latest files from SkyDrive Pro, Calendar entries for the next week from "Calendar" and the number of new messages in their Inbox. We're not trying to do the job of Office365,
we just want to give them a summary of things but direct them to Office365 to do all their main tasks.
> We do this by first asking them to connect to the CMS widget by entering their e-mail and password. We stored the FedAuth and rtFA cookies, and renew them when they expire. All fine. This means the user can have a quick glance at their Office 365 account
without actually having to go there.
The problem
---------------------------
> All of the authentication methods we use to access data is done from Server to Server. Our Apache server is talking to Microsoft's servers in the background. It's not the client's machine doing this, it's our server.
> If the user decides that they want to see the rest of their inbox having seen our widget panel, the click on the link we've created called "Outlook". They click it and it goes to http://outlook.office365.com. As you know, if this detects a cookie
session it redirects them into Outlook logged in, or, it asks them to log-in.
How do we forward them to outlook.office365.com so that they are already logged in given that they've already authenticated their details in the background and have their username, FedAuth and rtFA cookies that let us do requests on their behalf?
Is there a Web Service function we can call that says "getSingleSignOnToken" or similar?
What I'm looking for is a way for us to get some kind of token that we forward to http://outlook.office365.com that it will recognise, authenticate and then creates the cookies needed on the client machine (for that domain) so that it replicates them logging
in manually. I've seen this kind of thing happening between your domains but I'm sure there is a whole load of Cross-Domain stuff going on that is allowing it.
My suggest (if you don't have it already)
---------------------------------------------
I realise security is an issue here so how about this method is adopted?
> We connect to SharePoint Online with Claims Based Authentication
> We request a "one-time" single sign on token for the user we're currently logged in as.
> This token can only be used once and must be used within 5 minutes of requesting it (easy, just store a timestamp in it when you create it) This means we always need to request a token first if we want to forward the user to your site. We can't store that
token as it would be pointless. It always has to be fresh.
> We then forward the user to http://outlook.office365.com?token=[big token thing]
> You process it, automatically log them in and hey presto....
I have a feeling you may already have this but I can't find any answers anywhere that have taken into account the fact that the service is Office 365 online and the user doesn't have active directory, C#, .NET, Visual Studio or .ASP. This means the user isn't on a local server, logged in already as their 365 account that can be digested etc.
Hope you can help.
Look forward to getting your answer!
Thanks in advance,
Adam