SharePoint Online Authentication

Office 365 Large Logo

SharePoint Online Authentication

The following is the interaction between

  1. Client Computer
  2. Office 365
  3. Azure Active Directory (Azure AD)
  4. On premise Active Directory Federation Service (AD FS) (if available)

Notes:

  1. The customer can use either On Premise AD FS or any identity provider or they can use Azure AD
  2. The root Federation Authentication (rtFA) cookie is used across all of SharePoint Online. When a user visits a new top level site or another company’s page, the rtFA cookie is used to authenticate them silently without a prompt. When a user signs out of SharePoint Online, all SharePoint Online cookies are deleted.

Authentication Process

  1. User does anonymous request to secured O365 SharePoint Webpage (SharePoint.com)
  2. The SharePoint then requests the default identity provider or Azure AD to authenticate the user
  3. Azure AD then requests the user to provide credentials i.e email and password
  4. Azure AD then decides based on the email id, which identity provider to use, either itself or on prem AD FS
  5. User types in the credentials and sends back to AD FS using the client computer
  6. The on-prem AD FS or Azure AD then validates the credentials
  7. If on-prem AD FS is the provider, then it provides an auth token back to Azure AD post validating the user
  8. If Azure AD is the provider, then it generates the auth token
  9. In both the cases, Azure AD generates an auth token, stores it in client computer and redirects user back to SharePoint online
  10. O365 SharePoint server then validates this auth token with Azure AD
  11. O365 SharePoint then creates root Federation Authentication (rtFA) cookie and Fedauth cookie to client computer
  12. This rtFA cookie is used by the computer for subsequent requests

 

For more information visit https://support.office.com/en-us/article/SharePoint-Online-authentication-77965e8d-48ad-47bd-a656-57f17d6d1cc7?ui=en-US&rs=en-US&ad=US