I am working on a Java program to integrate via web services with a Microsoft Dynamics CRM 2013 online version. Authentication is federated with a local IDP, not through Windows Live. I am having problems finding documentation on how to complete this. All of the non-.NET environment documentation I have seen does not show how to complete the integration in a Federated set-up.
Is it possible to consume Dynamics CRM web services in this authentication configuration from Java? If so, any documentation/code samples are appreciated.
Based on my research, it does not seem possible to integrate with Dynamics web services using a federated (local ADFS) ID. The IDP we are using does not respond to WS-Trust RequestSecurityToken and so I was unable to retrieve the SAML. Even if I was, though, this article suggests that it would not be possible to retrieve the Dynamics SAML:
The issue is that the XML SOAP message that access control service accepts has to be signed and the detail on how to do that is internal to the CRM SDK/Identity Model.
Since you can’t sign the XML message to send to the access control service, integration with CRM 2011 cannot work.
The article goes on to state that the workaround is to have a Microsoft Online ID created. In my case, this is a cloud user within Office 365. Once this user was added to my Dynamics instance, I was able to use the method described in the documentation linked to in the question.
For completeness sake, below is an example of the SOAP request made to https://login.microsoftonline.com/RST2.srf
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:MessageID>urn:uuid:{GENERATE-GUID-HERE}</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo4TBVw9fIMZFmc7ZFxBXIcYAAAAAbd1LF/fnfUOzaja8sGev0GKsBdINtR5Jt13WPsZ9dPgACQAA</VsDebuggerCausalityData>
<a:To s:mustUnderstand="1">https://login.microsoftonline.com/RST2.srf </a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>{UTC-TIMESTAMP}</u:Created>
<u:Expires>{UTC-TIMESTAMP}</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-14bed392-2320-44ae-859d-fa4ec83df57a-1">
<o:Username>{CLOUD-USERNAME}</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">{CLOUD-PASSWORD}</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>urn:crmna:dynamics.com</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
Replace the following fields:
The response will contain a KeyIdentifier and 2 CypherValue elements. Use these to construct the SOAP Header for requests to the CRM. Full code can be found in the link referenced in the question.