talking to the active STS in office online

When looking at the output of the MOSDAL support toolkit and the report on office 365 SSO in particular we noted that our own STS’s response was minted intending http://…/extSTS.srf as the audience. Evidently, from the users record in Office 365 the kit figures out the address o our STS and talks to it, intending that the resulting token be consumed by the extSTS (and be exchanged for an access token) fit for sharepoint online webservices etc. So can we do the same, and do our own ws-trust handshake with office online initiated by our own thick client application and indeed then get what we need to consume sharepoint and exchanges services directly ?

To see, lets play with

We first see the helper class setup an event handler to be called on each webservice call – to get access tokens (if not cached).


And next we see the ws-trust client call that goes and gets an access token, intended for consumption by sharepoint online:


if we compare this client with a factory-based client, its instructive to note the differences:


for context, see

Our first trial fails, but this is worth pursuing:



some more context (and code) at

About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in office365. Bookmark the permalink.

1 Response to talking to the active STS in office online

  1. Pingback: using extSTS to mint proof token for Exchange Online API | Peter's ruminations

Comments are closed.