An error occurred while retrieving token from XML response: AADSTS500069

[nsmcan]

When connecting to SharePoint:

sp_portal = 'https://myteam.mycompany.com'
username = '[email protected]'
password = '___'
ctx_auth = AuthenticationContext(sp_portal)
ctx_auth.acquire_token_for_user(username, password)

getting error:

An error occurred while retrieving token from XML response: AADSTS500069: The element with ID '' was either unsigned or the signature was invalid.
An error occurred while retrieving auth cookies from https://myteam.mycompany.com/_vti_bin/idcrl.svc/

Analyzing your current code and comparing it with the working PowerShell script found there: Retrieve SPOIDCR cookie for SharePoint Online, I see 2 problems in saml_token_provider.py:

1. ElementTree fails to parse the Assertion node correctly, as the result, we are getting AADSTS500069 error.
   I have found these deficiencies, some of them (or all) cause the error:

   • Correct XML doesn't have namespace prefix for the KeyInfo node and its children:

     <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
         <X509Data>
             <X509Certificate>
                 certificate text
             </X509Certificate>
         </X509Data>
     </KeyInfo>
     

   • In a wrong XML Boolean attribute value for the insidecorporatenetwork attribute has unknown namespace tn:

     <saml:Attribute AttributeName="insidecorporatenetwork"
                   AttributeNamespace="http://schemas.microsoft.com/ws/2012/01"
                   ns1:OriginalIssuer="CLIENT CONTEXT">
         <saml:AttributeValue xsi:type="tn:boolean">true</saml:AttributeValue>
     </saml:Attribute>
     

   I tried to use xml.dom.minidom, and that resolved this issue:

   import xml.dom.minidom as minidom
   dom = minidom.parseString(response.content.decode())
   assertion_node = dom.getElementsByTagNameNS("urn:oasis:names:tc:SAML:1.0:assertion", 'Assertion')[0].toxml()
   

   It would be harder to apply this solution into your code, because you insert the assertion node as XML object into a wrapping XML object from RST2.xml. I leave that for your consideration

2. In RST2.xml the wsa:EndpointReference Address element is a constant: sharepoint.com
   This is OK, when a SharePoint portal has mycompany.sharepoint.com URL. But it is wrong in my case. When name of portal doesn't end with sharepoint.com, we should have a fully qualified domain name of the portal there. For example:

   <wsa:EndpointReference>
          <wsa:Address>myteam.mycompany.com</wsa:Address>
   </wsa:EndpointReference>
   

I have crudely translated and simplified the mentioned above PowerShell script for my proof of concept. It works correctly and gets me a SPOIDCR cookie. You could review it there

[vgrem]

Much appreciated @nsmcan for your thorough analysis, to pinpoint the possible auth flaws and last but not least for providing the working prototype, next step would be verifying and integrating the changes, will get back to you.

[vgrem]

Thank you @nsmcan and @wreiner!
The new version has been released.