SharePoint Online Authentication
SharePoint Online Authentication
The following is the interaction between
- Client Computer
- Office 365
- Azure Active Directory (Azure AD)
- On premise Active Directory Federation Service (AD FS) (if available)
Notes:
- The customer can use either On Premise AD FS or any identity provider or they can use Azure AD
- The root Federation Authentication (rtFA) cookie is used across all of SharePoint Online. When a user visits a new top level site or another company’s page, the rtFA cookie is used to authenticate them silently without a prompt. When a user signs out of SharePoint Online, all SharePoint Online cookies are deleted.
Authentication Process
- User does anonymous request to secured O365 SharePoint Webpage (SharePoint.com)
- The SharePoint then requests the default identity provider or Azure AD to authenticate the user
- Azure AD then requests the user to provide credentials i.e email and password
- Azure AD then decides based on the email id, which identity provider to use, either itself or on prem AD FS
- User types in the credentials and sends back to AD FS using the client computer
- The on-prem AD FS or Azure AD then validates the credentials
- If on-prem AD FS is the provider, then it provides an auth token back to Azure AD post validating the user
- If Azure AD is the provider, then it generates the auth token
- In both the cases, Azure AD generates an auth token, stores it in client computer and redirects user back to SharePoint online
- O365 SharePoint server then validates this auth token with Azure AD
- O365 SharePoint then creates root Federation Authentication (rtFA) cookie and Fedauth cookie to client computer
- This rtFA cookie is used by the computer for subsequent requests
For more information visit https://support.office.com/en-us/article/SharePoint-Online-authentication-77965e8d-48ad-47bd-a656-57f17d6d1cc7?ui=en-US&rs=en-US&ad=US