Automatic Login to SharePoint 2010 with AD FS 2.0 & WS-Federation
Introduction
Consider the situation where you have a SharePoint 2010 site secured by AD FS 2.0 and you have a partner that accesses this application that also uses AD FS 2.0.
Partner <----> Your <-----> SharePoint
** AD FS AD FS** 2010
**
**The SharePoint sites are configured to use both Windows Authentication and SAML Provider Claims. In a typical scenario, the user in the partner network would do the following:
- Browse to the SharePoint 2010 site
- Be prompted to choose an authentication method (Windows Authentication or Claims)
- Chooses Claims
- Be prompted for the home realm
- Chooses their AD FS server
- Possibly be prompted for Domain Credentials*****
- Be redirected and logged in to SharePoint
This has the user promtped 2-3 times in order to log into SharePoint. A better experience would be to have the user click a link and be automatically logged into SharePoint.
*****This assumes that AD FS 2.0 is configured for Windows Authentication. Read this article to see how you can configure AD FS 2.0 for other types of authentication. Being prompted for credentials depends on if the site is determined to be a part of the Internet, Local Intranet, Trusted Sites, or Restricted Sites and the user authentication method selected for that zone. See *this article **for more details.
*
Pre-formatted Link
One way to automate the logon is to use query string parameters to identify where the user is coming from and where the user is going. This method is known as using a pre-formatted link. It should be noted that deep linking into SharePoint does not work with this method. Take the same scenario as above.
Partner <----> Your <-----> SharePoint
** AD FS AD FS** 2010
Your AD FS: | adfs.contoso.com | |
SharePoint: | sp.contoso.com | |
Partner AD FS: | adfs.adatum.com |
Using the WHR, WTREALM & WCTX query string parameters, we can accomplish a automatic single signon.
Sample URL
https://adfs.contoso.com/adfs/ls/?wa=wsignin1.0&whr=http://adfs.adatum.com/adfs/services/trust&
wtrealm=https://sp.contoso.com/&wctx=https://sp.contoso.com/_layouts/Authenticate.aspx
Broken Down
Your AD FS endpoint: | https://adfs.contoso.com/adfs/ls/ | |
Action (sign in): | ?wa=wsignin1.0 | |
Which Home Realm: | &whr=http://adfs.adatum.com/adfs/services/trust | |
Identifier for Relying Party: | &wtrealm=https://sp.contoso.com/ | |
URL to go to: | &wctx=https://sp.contoso.com/_layouts/Authenticate.aspx |
With the targeted URL, this would be the new flow of traffic.
- Browse to the customized URL
- Be redirected to their AD FS server (since WHR is specified)
- Possibly be prompted for Domain Credentials*****
- Be redirected and logged in to SharePoint (since WTREALM & WCTX are specified)
*****This assumes that AD FS 2.0 is configured for Windows Authentication. Read this article to see how you can configure AD FS 2.0 for other types of authentication. Being prompted for credentials depends on if the site is determined to be a part of the Internet, Local Intranet, Trusted Sites, or Restricted Sites and the user authentication method selected for that zone. See *this article **for more details.
*
Removing or Seperating Windows Authentication
Another solution would be to remove Windows Authentication from SharePoint. Doing so would remove the initial prompt for the chosen authentication type. After that, home realm discovery****** can be chosen, and the user can bypass being prompted for authentication by having the sites listed as local intranet or trusted.
Alternately, if you extend the web application into a new zone, you can keep the SAML provider on one and set Windows Authentication to the other.
This method would allow deep linking to SharePoint content.
*******Typically, home realm discovery only needs to be selected once. A 30 day, sliding window cookie is placed on the client to identify the home realm. Each time the user logs in, the timestamp for the cookie is updated.
*
Links
WS-Federation: Passive Requestor Profile
**http://msdn.microsoft.com/en-us/library/bb608217.aspx
wsignin1.0 Request Message
http://msdn.microsoft.com/en-us/library/cc236491(v=PROT.13).aspx
How to use security zones in Internet Explorer
**http://support.microsoft.com/kb/174360
AD FS 2.0: How to Change the Local Authentication Type
http://social.technet.microsoft.com/wiki/contents/articles/1600.aspx