Share via


Configuring SharePoint to use a Specific Identity Provider in ADFS

In my previous posting (https://blogs.technet.com/b/speschka/archive/2010/11/24/configuring-adfs-trusts-for-multiple-identity-providers-with-sharepoint-2010.aspx), I explained how to configure trusts between two different ADFS servers.  One example where this may be necessary is if you have one ADFS server that is a sort of hub for other ADFS servers being used.  If we follow this scenario out, suppose you have multiple web applications in SharePoint, and for each one your users should authenticate against a different Active Directory forest via ADFS.  Well, using the procedures I described in the previous posting, you can create the trusts in ADFS to make that scenario work.  However, the first time your users navigate to the SharePoint site that uses that hub ADFS server, or if they use the In Private features of IE to navigate to the site, they will get an intermediary page from ADFS before they log on.  That intermediary page will list ALL of the claims identity providers and ask the user to select the one against which they wish to authenticate.  Then they are redirected over to the login page for that identity provider (IP). 

In a perfect world though, we don't want users to see that intermediary page - we'd rather redirect them immediately to the correct IP for authentication.  Fortunately ADFS provides support for this through a "whr" query string parameter.  If you add this query string parameter when navigating to ADFS then it will do a look up of the whr parameter to find a matching IP.  If it finds one, then it automatically redirects you to that IP.  In ADFS 1.x that parameter was a URN, like urn:foo:monkey.  In ADFS 2.0 it takes the format of a Uri.  To find the value you should use for the whr query string parameter, open up the AD FS 2.0 Management application.  Expand the Trust Relationships...Claims Provider Trusts node, then double-click on the IP that you want used.  Click on the Identifiers tab and you will see a grayed out edit box called Claims provider identifier:.  The value in there is what should be in your whr query string parameter.  For example, in my environment the IP identifier is https://tgen1.terri.local/adfs/services/trust.  In order to get users of a web application to redirect immediately over to that IP I need to append the following to the normal login query string that SharePoint uses:  &whr=https://tgen1.terri.local/adfs/services/trust  When I do that I no longer see the IP selection page in ADFS, I just go directly to logging in.

Now, getting that query string appended is not simple work, and for now is beyond the scope of what I'll be covering in this post.  However suffice to say that you can do the trick with an HttpModule.

Comments

  • Anonymous
    January 01, 2003
    Hi Speschka Totally great blog you have. One thing I'm missing on the net is an article describing how to setup SharePoint Foundation to use Windows Azure Access Control Services. I found one single article but it doesn't do the job (blogs.pointbridge.com/.../Post.aspx). Have you tried this scenario? /Henrik aka PrinceHamlet

  • Anonymous
    January 01, 2003
    thanks

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    April 04, 2014
    You can't get the Claims provider identifier that way if the trust in question is an Active Directory server. What should the whr parameter contain in that case?

  • Anonymous
    September 18, 2014
    The comment has been removed