How to use ADFS with SharePoint hosted apps in Sharepoint 2013

How to use ADFS with SharePoint hosted apps in Sharepoint 2013

  • Comments 3

This blog will provide some handy information for Setting up Hosted Apps in SHAREPOINT 2013 with ADFS 2.0

As stated in http://technet.microsoft.com/en-us/library/jj219806.aspx, SharePoint 2013 SharePoint hosted apps support SAML authentication.

Each SharePoint hosted apps has a unique DNS domain, so each also have a unique return URL (when user comes back from STS) that is typically https://spapp-UNIQUEID.appsContoso.local/_trust

To be able to use ADFS 2 with SharePoint hosted apps, the following must be done:

- In SharePoint: Create a unique realm per SharePoint hosted app
- In ADFS: Create a relying party per SharePoint hosted app


Create a unique realm per SharePoint hosted app in SharePoint:


$t=Get-SPTrustedIdentityTokenIssuer "TRUSTNAME"
$uri=new-object System.Uri("https://spapp-UNIQUEID.appsContoso.local")
$t.ProviderRealms.Add($uri, "https://spapp-UNIQUEID.appsContoso.local")
$t.Update()

Create a unique relying party in ADFS:


The relying party should be created with following settings:
WS Federation Passive Endpoint: POST to https://spapp-UNIQUEID.appsContoso.local/_trust
Identifier: https://spapp-UNIQUEID.appsContoso.local

Issue the same claims as the SharePoint web application hosting the app.
The drawback of this method is that each time an app is installed, a realm must be created in SharePoint and a relying party must be created in ADFS.

 

Additional  Information

It is possible to configure SharePoint to specify the return URL in a query string called wreply. It is added to the URL that redirects user to the STS. This behavior is enabled with following PowerShell commands:
----------------------------------------------------------
$t=Set-SPTrustedIdentityTokenIssuer "TRUSTNAME"
$t.UseWReplyParameter=$true
$t.Update()
----------------------------------------------------------
But ADFS 2 does not honor the reply parameter so this setting does not help in this scenario.

 

POST BY: Yvan Duhamel [MSFT]

Leave a Comment
  • Please add 8 and 4 and type the answer here:
  • Post
  • I can't say this is valid solution. Each app URLs are different and its nearly impossible to generate that many realms. Might be good in one off scenario as you suggested. We need better solution from Microsoft.

  • Not a very convenient solution, but it is a solution at least.

    Are there any improvements of this in AD FS 3.0? (WIN2012R2)

  • Nik and Barry, In ADFS 3.0 we can use a wildcard endpoint, Please check this out:

    www.wictorwilen.se/sharepoint-2013-with-saml-claims-and-sharepoint-hosted-apps

Page 1 of 1 (3 items)