Hey Fredrik,

Please see error below.

Also, could you please advise proper way for implementing consumption of search api.

<html>
   <head>
      <title>Working...</title>
   </head>
   <body>
      <form method="POST" name="hiddenform" action="qa-sdl-reach-delivery.bentley.com/.../">
         <input type="hidden" name="wa" value="wsignin1.0" /><input type="hidden" name="wresult" value="&lt;trust:RequestSecurityTokenResponseCollection xmlns:trust=&quot;docs.oasis-open.org/.../200512&quot;>&lt;trust:RequestSecurityTokenResponse>&lt;trust:Lifetime>&lt;wsu:Created xmlns:wsu=&quot;docs.oasis-open.org/.../wsu:Created>&lt;wsu:Expires xmlns:wsu=&quot;docs.oasis-open.org/.../trust:Lifetime>&lt;wsp:AppliesTo xmlns:wsp=&quot;schemas.xmlsoap.org/.../policy&quot;>&lt;EndpointReference xmlns=&quot;www.w3.org/.../wsp:AppliesTo>&lt;trust:RequestedSecurityToken>&lt;saml:Assertion MajorVersion=&quot;1&quot; MinorVersion=&quot;1&quot; AssertionID=&quot;_e9bfebe1-05d5-427a-a889-1516706251f2&quot; Issuer=&quot;qa-ims.bentley.com/&quot; IssueInstant=&quot;2016-09-01T14:11:25.303Z&quot; xmlns:saml=&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;>&lt;saml:Conditions NotBefore=&quot;2016-09-01T14:11:25.272Z&quot; NotOnOrAfter=&quot;2016-09-01T15:11:25.272Z&quot;>&lt;saml:AudienceRestrictionCondition>&lt;saml:Audience>qa-sdl-reach-delivery.bentley.com/.../saml:Subject>&lt;saml:Attribute AttributeName=&quot;name&quot; AttributeNamespace=&quot;schemas.xmlsoap.org/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;givenname&quot; AttributeNamespace=&quot;schemas.xmlsoap.org/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;surname&quot; AttributeNamespace=&quot;schemas.xmlsoap.org/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;emailaddress&quot; AttributeNamespace=&quot;schemas.xmlsoap.org/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;role&quot; AttributeNamespace=&quot;schemas.microsoft.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;sapbupa&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;site&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;ultimatesite&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;sapentitlement&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;entitlement&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;countryiso&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;languageiso&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;ismarketingprospect&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;isbentleyemployee&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;becommunitiesusername&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;becommunitiesemailaddress&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;userid&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;organization&quot; AttributeNamespace=&quot;schemas.bentley.com/.../claims&quot;>&lt;saml:AttributeValue>Bentley Systems Inc&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute AttributeName=&quot;has_select&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;organizationid&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;organizationname&quot; AttributeNamespace=&quot;schemas.bentley.com/.../claims&quot;>&lt;saml:AttributeValue>Bentley Systems Inc&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute AttributeName=&quot;ultimateid&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;ultimatename&quot; AttributeNamespace=&quot;schemas.bentley.com/.../claims&quot;>&lt;saml:AttributeValue>Bentley Systems Inc&lt;/saml:AttributeValue>&lt;/saml:Attribute>&lt;saml:Attribute AttributeName=&quot;ultimatereferenceid&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:Attribute>&lt;saml:Attribute AttributeName=&quot;usagecountryiso&quot; AttributeNamespace=&quot;schemas.bentley.com/.../saml:AttributeStatement>&lt;ds:Signature xmlns:ds=&quot;www.w3.org/.../xmldsig Algorithm=&quot;www.w3.org/.../xml-exc-c14n />&lt;ds:SignatureMethod Algorithm=&quot;www.w3.org/.../xmldsig-more />&lt;ds:Reference URI=&quot;#_e9bfebe1-05d5-427a-a889-1516706251f2&quot;>&lt;ds:Transforms>&lt;ds:Transform Algorithm=&quot;www.w3.org/.../xmldsig />&lt;ds:Transform Algorithm=&quot;www.w3.org/.../xml-exc-c14n />&lt;/ds:Transforms>&lt;ds:DigestMethod Algorithm=&quot;www.w3.org/.../xmlenc />&lt;ds:DigestValue>R82IgxNngUGLYlsGRy0w1dvMI7fH/LBL9XXdR5lqPCY=&lt;/ds:DigestValue>&lt;/ds:Reference>&lt;/ds:SignedInfo>&lt;ds:SignatureValue>HJfmY/Jmiytk7/lCklmn3gMwJcNCy6j+iNrqO1sPebjpUZynHcNR/ptw8m83nnwkAJgvcJ6yzVTOUevNDFrejD5TcX6riylwAibEVBbsTH//XBR6IYFCr6wHlIXQuk3sHskxH8CB8yUsjvuXSfVt+psCv904/NnBh+nKvg+BKdk=&lt;/ds:SignatureValue>&lt;KeyInfo xmlns=&quot;www.w3.org/.../xmldsigL5y19xiBvByHX3NRAgSE3++A2rdNsJcW6ZyEd9EmAz4/zIk1dt6XibcxmsXbowEcD+8=&lt;/X509Certificate>&lt;/X509Data>&lt;/KeyInfo>&lt;/ds:Signature>&lt;/saml:Assertion>&lt;/trust:RequestedSecurityToken>&lt;trust:RequestedAttachedReference>&lt;o:SecurityTokenReference k:TokenType=&quot;docs.oasis-open.org/.../oasis-wss-saml-token-profile-1.1 xmlns:k=&quot;docs.oasis-open.org/.../oasis-wss-wssecurity-secext-1.1.xsd&quot; xmlns:o=&quot;docs.oasis-open.org/.../oasis-200401-wss-wssecurity-secext-1.0.xsd&quot;>&lt;o:KeyIdentifier ValueType=&quot;docs.oasis-open.org/.../oasis-wss-saml-token-profile-1.0 k:TokenType=&quot;docs.oasis-open.org/.../oasis-wss-saml-token-profile-1.1 xmlns:k=&quot;docs.oasis-open.org/.../oasis-wss-wssecurity-secext-1.1.xsd&quot; xmlns:o=&quot;docs.oasis-open.org/.../oasis-200401-wss-wssecurity-secext-1.0.xsd&quot;>&lt;o:KeyIdentifier ValueType=&quot;docs.oasis-open.org/.../oasis-wss-saml-token-profile-1.0 />
         <noscript>
            <p>Script is disabled. Click Submit to continue.</p>
            <input type="submit" value="Submit" />
         </noscript>
      </form>
      <script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script>
   </body>
</html>

Hi Puneet,

That means that you need indeed C#. I had almost something for PowerShell but I'll explain what you need to do to authenticate yourself to the API. That means capturing a set of cookies (JSESSIONID) that grants you access to the api.

The following is assuming your target Reach is deployed and configured for Review and Collaboration and that means it is using the same STS as Content Manager. As I don't know your STS I'll be generic

You have a couple of options:

• From the C# play browser and where necessary fill in the credentials if necessary. You can use WebClient class or more low level classes such as HttpClient or WebRequest. An excellent guide is looking at Fiddler while you do the same from your browser
• From the C# launch a browser, let it authenticate and somehow capture the cookies after it gets authenticated to Reach
• From the C# get a token using WCF and WSTrust from the configured STS and then submit the token to Reach and capture the cookies. Again Fiddler is an excellent guide. If you chose this path then let me share a small but important detail. Before you issue the token, you need make a request to Reach and capture an initial JSESSIONID cookie. Then when submitting the token you need to pass this original JSESSIONID and then capture the replacement. This is all in Fiddler captures but its a small detail and you need to be aware to notice.

The code for each case is not easy and it is beyond the scope of this thread. Please take notice that working with the protocols for federated authentication is an advanced subject. But as reference WS-Federation and WS-Trust are in play.

An alternative that is to discuss with the owner of the Reach deployment to open up a potential alternative root for your application and only your application. This is a security violation and therefore not my preference and certainly not the path I would chose.

Good luck and let me know if I can help further within the scope of this thread.

Hi Puneet,

That means that you need indeed C#. I had almost something for PowerShell but I'll explain what you need to do to authenticate yourself to the API. That means capturing a set of cookies (JSESSIONID) that grants you access to the api.

The following is assuming your target Reach is deployed and configured for Review and Collaboration and that means it is using the same STS as Content Manager. As I don't know your STS I'll be generic

You have a couple of options:

• From the C# play browser and where necessary fill in the credentials if necessary. You can use WebClient class or more low level classes such as HttpClient or WebRequest. An excellent guide is looking at Fiddler while you do the same from your browser
• From the C# launch a browser, let it authenticate and somehow capture the cookies after it gets authenticated to Reach
• From the C# get a token using WCF and WSTrust from the configured STS and then submit the token to Reach and capture the cookies. Again Fiddler is an excellent guide. If you chose this path then let me share a small but important detail. Before you issue the token, you need make a request to Reach and capture an initial JSESSIONID cookie. Then when submitting the token you need to pass this original JSESSIONID and then capture the replacement. This is all in Fiddler captures but its a small detail and you need to be aware to notice.

The code for each case is not easy and it is beyond the scope of this thread. Please take notice that working with the protocols for federated authentication is an advanced subject. But as reference WS-Federation and WS-Trust are in play.

An alternative that is to discuss with the owner of the Reach deployment to open up a potential alternative root for your application and only your application. This is a security violation and therefore not my preference and certainly not the path I would chose.

Good luck and let me know if I can help further within the scope of this thread.

Hi Puneet,
As I already mentioned, providing the solution is beyond the scope of this thread. From my explanation it should be already clear that this is not simple and therefore it cannot be provided as part of some snippets. In other words, it simply doesn't fit plus I don't a have a clean code base to share.

My advice is to look online for what I mentioned. Search for the terms provided but keep in mind that you need relatively good understanding of SOAP and WCF. I'm a person that likes to see what is going on on the network layer and if you share my preference, then while using Publication Manager, capture a session with Fiddler and analyze it.

I've also shared a PowerShell module WcfPS  that addresses only part of what you need. It can issue bearer tokens for web sites but the rest becomes your responsibility.

Good luck
Alex