0

I am wondering if it is possible to use Microsoft's Graph API in order to create a cookie in IE given the username and password, (preferably using C# or VB.net), so that when the user connects to sharepoint with IE, he/she won't have to log into sharepoint via the login screens.

I'm having difficulty searching for examples because most examples describe how to authenticate a user. I am not looking to authenticate a user though, I am looking to create and store a cookie to force a user login.

Thank you for any advice.

Mike
  • 235
  • 3
  • 15
  • I want to point out that I don't intend to store passwords in cookies, my goal would be to see if there is a way to create the cookie through a script, that will generate the encrypted cookie, based off a username and password. – Mike Aug 09 '17 at 20:29
  • You should never be in the situation where you have the user's AD password available to encrypt. As soon as you ask for someone to provide their password you are compromising that security. This is the purpose of the OAUTH process; handling user and app authentication securely. – Marc LaFleur Aug 09 '17 at 20:35

1 Answers1

0

No, and this should never be done. First because cookies are simply not secure. Secondly because you should never be storing any encrypted password anywhere.

I'm really not sure how Graph API fits into the scenario you provided. Microsoft Graph is a REST based API. It doesn't authenticated users on its own, you pass in a valid access token with each call. How you retrieve that token depends on if you're using delegated or application permission scopes.

From the scenario you described, it sounds like you're looking for SharePoint Single Sign-On (SSO). There are a few ways to do this but generally it is done using ADFS and AADSync. There is a walkthrough for setting this up: Step-By-Step: Setting up AD FS and Enabling Single Sign-On to Office 365. Be forewarned however, this is not a trivial process.

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
  • Thanks for the advice, and I will look into ADFS, but it does look complex. I know I specified the graph api, but is there "any" MS api that might do this? It sounds like no, but I want to be sure before I try another method. I am spending a lot of time researching something that may just be impossible. I realize this may sound unsafe, but we have our reasons. – Mike Aug 09 '17 at 20:18
  • No, nothing will support this model. I really cannot emphasize enough that **there is never a good reason for ignoring basic security principals**. Doing anything like this only guarantees that you _will_ be compromised. – Marc LaFleur Aug 09 '17 at 20:30
  • Thank you very much. I'll be sure to communicate this message to the appropriate people on my end. – Mike Aug 09 '17 at 20:42