Share via

SAML Support for SharePoint-Hosted Apps with ADFS 3.0

  • Article

This is another case where I'm just passing information along here, based on the great work of others. As you probably know, we did not have a good story for SharePoint-hosted apps in web application that uses SAML authentication with ADFS 2.0. However, I have had reports from a couple of different teams now that they ARE working with ADFS 3.0. The main differences that are needed to make this work include:

  • In ADFS you need to define a wildcard WS-Fed endpoint. For example, normally for a SharePoint web application, in ADFS you create a relying party and set the WS-Fed endpoint to be something like https://www.foo.com/_trust/. To do the same thing with apps, you take your apps namespace - assume it's "contosoapps.com" - and add a WS-Fed endpoint like this: https://*.contosoapps.com/_trust/.
  • Configure the SharePoint STS to send the wreply parameter. You can do that with PowerShell that looks like this:

$sts = Get-SPTrustedIdentityTokenIssuer
$sts.UseWReplyParameter = $true
$sts.Update() 

One other thing to note - the behavior to use the wreply parameter is supposed to be turned on by default in an upcoming CU. I heard it was the April 2014 CU actually but have not had a chance to see if that is really in there or not. It won't hurt to run the PowerShell above though.

This is good news, thanks for those of you that shared your experiences!

Comments

  • Anonymous
    January 01, 2003
    Thanks for sharing Steve, I confirm Trevor's message, in mine is also $false
  • Anonymous
    January 01, 2003
    thanks
  • Anonymous
    January 01, 2003
    Looking at my SP1 + Apr 2014 CU farm, UseWReplyParameter is set to false.
  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    January 01, 2003
    http://buybrainfuelplus.com.vn
    http://buybrainfuelplus.vn
    http://brainfuelplusvietnam.vn
    http://brainfuelplusvietnam.net.vn
    http://brainfuelplusvietnam.com.vn
    http://brainfuelplusvietnam.net
    http://brainfuelplus.edu.vn
    http://brainfuelplus.net.vn
  • Anonymous
    June 01, 2014
    Mes nuevo y nuevo recopilatorio de enlaces interesantes sobre SharePoint 2013. En esta ocasión
  • Anonymous
    June 23, 2014
    Intro This is blog is broken up into a 3 part series covering the following areas:

    Part 1: Setting
  • Anonymous
    September 18, 2014
    The comment has been removed
  • Anonymous
    January 08, 2015
    m88 : http://m88en.com
    M88.com offer online sports games Asia, Sports Betting Asia, Sports Betting Sites Asia.
    m88asia : http://m88en.net
    Link to M88BET phone: m88en.com. – Register and Open Betting Account and Membership M88BET.
    m88bet : http://www.linkm88vip.com
    MANSION88 the house is one of the largest and most prestigious. Appeared quite early in the Asian market, the so-MANSION88 currently attracts more players.
    link m88 : http://m88wiki.com
    Home the M88 is the official sponsor of the football club in the Premier League
    Wish you happy with the new M88
    m88 casino online : http://m88free.com

    Modern Thai restaurant combines outstanding traditional cuisine and a subtle modern decor with a warm welcoming ambience. Thai Restaurants in Brisbane :http://www.watersidethainoodles.com.au , traveller reviews of Brisbane Thai restaurants and search by price, location, and more..
  • Anonymous
    January 29, 2015
    This is great if you're using ADFS as your STS - but what if you're using Azure ACS? We have multiple identity providers that can authenticate with SAML to get into a SP2013 site