For anyone with trouble (its really tough), here is some clarrification
The 4 steps are
1)get the assertion from your SAML IDP
2)trade the assertion for a STS token
3)trade the STS token for cookies
4)use the cookies to do your rest call
For step 1, I have ping federate. Use this in postman to post to your token id processor to get an assertion:
POST https://pingfederate/idp/sts.wst?TokenProcessorId=username
<s:Envelope xmlns:s='http://www.w3.org/2003/05/soap-envelope' xmlns:a='http://www.w3.org/2005/08/addressing' xmlns:u='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<s:Header>
<a:Action s:mustUnderstand='1'>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<o:Security s:mustUnderstand='1' xmlns:o='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'>
<o:UsernameToken>
<o:Username>yourusername</o:Username>
<o:Password>yourpass</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t='http://schemas.xmlsoap.org/ws/2005/02/trust'>
<wsp:AppliesTo xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy'>
<wsa:EndpointReference xmlns:wsa='http://www.w3.org/2005/08/addressing'>
<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
It will generate an envelope with the assertion in it. Make sure to copy it in raw format (not pretty xml). Everything from the <saml:Assertion to /saml:Assertion>
For step 2, when you POST to https://login.microsoftonline.com/extSTS.srf, make sure the assertion is pasted in raw format (not pretty XML).
Use:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<saml:Assertion AssertionID="hp4CtHjK_lL" Issue Instant...................../ds:Signature></saml:Assertion>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<a:EndpointReference>
<a:Address>https://myshare.sharepoint.com/sites/mysite</a:Address>
</a:EndpointReference>
</wsp:AppliesTo>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
For step 3, POST to https://myshare.sharepoint.com/_forms/default.aspx?wa=wsignin1.0 and make sure you have the User-Agent be a regular user agent like Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0).
In the body of the post, its going to be everything in the <BinarySecurityToken that was generated by step 2, so something like t=EwDgAk6hBwAUu3.........................
Thats the entire body, nothing else. It will generate some cookies. One is for myshare.sharepoint.com called FedAuth, and another is sharepoint.com rtFa
Step 4, Once you get the cookies, you can GET your sharepoint list
https://myshare.sharepoint.com/sites/mysite/_api/Web/Lists/GetByTitle('Updating%20List%E2%80%8B')/items