Working with security credentials (RequestDigest, FedAuth, rtFa)

  • 9 February 2017
  • 6 replies

Badge +17

Recently I started playing around with the nintex O365 workflow rest api ( Although not everything is possible (as saving new workflows), because web request action does not support passing of binary strings and cuts off null bits (0x00), so the passed file is found by the API as incorrect BUT first thing I faced during my exercise was: HOW TO OBTAIN FedAuth security cookie?

I read articles, reviewed stackoverflow forums and similar looking for an answer how to achieve it using JavaScript. I was a bit upset with the results but then I found this precious article: Remote authentication in SharePoint Online | … And All That JS and everything went clear on how to obtain the cookie inside Nintex Workflow

The following post is showing how to obtain 3 important security variables, that SharePoint requires from requester to "trust":

  1. fedauth cookie
  2. rtfa cookie
  3. requestdigest token

Security Cookies

First, the cookies. To get them I must simulate authentication process. The authentication sequence, from Nintex Workflow, should be the following:

  1. Create a variable holding SAML Request Security Token message:
    <s:Envelope xmlns:s="" xmlns:a="" xmlns:u="">
        <a:Action s:mustUnderstand="1"></a:Action>
        <a:To s:mustUnderstand="1"></a:To>
        <o:Security s:mustUnderstand="1" xmlns:o="">
        <t:RequestSecurityToken xmlns:t="">
          <wsp:AppliesTo xmlns:wsp="">
              <a:Address>[TENANT ADDRESS]</a:Address>
    Be sure, that you don't have any new lines in the string, when you paste it to the variable.
    Also - replace [login] and [password] with credentials of the user who has enough permissions to execute the method/ operation for which you are obtaining the cookies. For example, if you want them to manipulate data on lists, user has to have permissions for that list.
    If you want to call Nintex REST API then user must be at least Site Collection admin and you MUST provide an account from the *@* domain!

  2. Now we must make a "Web request" POST call to the sending my SAML Security Token Message:

    Store response in a text variable.

  3. Now we must extract the Binary Security Token value. We do it using "Query XML" action, and the following regular expression for extraction:
    (?<=(<wsse:BinarySecurityToken Id=""Compact0"">))t=(.+)(?=(&amp;p=))‍‍‍‍‍‍‍‍

    Store extracted data in a "collection" variable.

  4. As there is only one element in the collection I then use "Join Items in Collection" action to flatten it so that I have a plain text BinarySecurityToken string.

  5. Next we must send the token to the SharePoint Online tenant, from which we want to obtain security cookies. We must make a POST Web Request to the address: ‍https://[TENANT ADDRESS]/_forms/default.aspx?apr=1&wa=wsignin1.0 puting Binary Security Token in the request's body:

    Store "Response headers" in the "collection" variable.

  6. The "Cookie" response header is the 6th element in the collection. Now we must retrieve this string:

  7. After we do that we must extract FedAuth and rtFa cookies from the string. We must use "Regular Expression" action to extract values. Extracted value must be put in a "collection" variable. Use the following regular expressions for extraction:
    1. FedAuth
    2. rtFa

  8. Now I'm again merging the collections, because there are only one elements in each, so that after "Joining items in collection" I get the plain text cookie value.

And that is simply it! FedAuth and rtFa cookies are yours. They look like this (Base64 encoded string):



Form Request Digest token

Caroline Jung‌ had already made an article about that (How to execute a SP2013 REST API request with Nintex Workflow ) however when it is valid for the current tenant. When trying to get the token from a different tenant security cookies must be included. The process in that case is the following:

  1. POST "Web request" to the "ContextInfo" of the site for which you want the token: https://[TENANT ADDRESS]/_api/contextinfo including the cookie in the header. It has to have the following structure:

    Write any string in the "Body" of the request (it is mandatory )

    Store the "response content" in a Text variable.

  2. Then, as Caroline wrote, we the token must be extracted from the received XML. Use this xpath query:

    and store results in a text variable:

Voilla! Now you have also the Form Request Digest token. It should be similar to the: 

0x0E07BB747A8A51DF739E090592B3AADB293A16E73CE9C9D6451B5478B1EEA7514CF7527C890EAB40539C8A49E38C8C92AF73257A3972531E0F566086E12AC01D,09 Feb 2017 08:26:47 -0000

Where can I use them?

Well, especially security tokens can be used when trying to manipulate external tenant's data from your tenant Nintex Workflow (and for some reason not doing this by "Office 365" set of actions). Or to call methods from Nintex O365 Workflow REST API from within your workflow. Just remember, you always have to combine FedAuth with rtFa as the "Cookie" header value


I hope you can make use of this knowledge!

Best regards,


6 replies

Badge +17

You can as well support my Uservoice ideas

Ability to store binary data in variables and pass them in Web Request action – Customer Feedback for Nintex 

Ability to store binary data in workflow variable – Customer Feedback for Nintex 

Wow ! That's a really great post ! Very very very useful !!

Hi Tomasz, 

On the step 6, The "Cookie" response header is the 6th element in the collection, I'm not getting the cookies, I'm getting other values. I reviewed some other properties by index and I'm not able to find the Cookies.

Any change on that post?


Badge +17

When you simulate the flow with the Postman for example - what is the response body?

Hi, Kinda weird,

With PostMan:

POST to:

with Headers Content-Type application/x-www-form-urlencoded

and body with the Token i got on the first call.

Response on body is the start page from the site.

Response on Headers: No info about FedAuth or rtFa.

Well finally I found the headers. It is required to haven't modified the start page. If you've done so, you have to make the call to another URL.

On the response finally I got the cookiesHeaders on the 5th position, and then when u "Get Item from Collection" to extract FedAuth and rtFa you need to set the action as follows: