Share-n-dipity

SharePoint serendipity is the effect by which one accidentally discovers something fortunate, especially while looking for something else entirely. In this case, it is the occassional musings, observations, and Ouija board readings about the phabulously

Configuring SharePoint to use a Specific Identity Provider in ADFS

Configuring SharePoint to use a Specific Identity Provider in ADFS

  • Comments 5
  • Likes

In my previous posting (http://blogs.technet.com/b/speschka/archive/2010/11/24/configuring-adfs-trusts-for-multiple-identity-providers-with-sharepoint-2010.aspx), I explained how to configure trusts between two different ADFS servers.  One example where this may be necessary is if you have one ADFS server that is a sort of hub for other ADFS servers being used.  If we follow this scenario out, suppose you have multiple web applications in SharePoint, and for each one your users should authenticate against a different Active Directory forest via ADFS.  Well, using the procedures I described in the previous posting, you can create the trusts in ADFS to make that scenario work.  However, the first time your users navigate to the SharePoint site that uses that hub ADFS server, or if they use the In Private features of IE to navigate to the site, they will get an intermediary page from ADFS before they log on.  That intermediary page will list ALL of the claims identity providers and ask the user to select the one against which they wish to authenticate.  Then they are redirected over to the login page for that identity provider (IP). 

In a perfect world though, we don't want users to see that intermediary page - we'd rather redirect them immediately to the correct IP for authentication.  Fortunately ADFS provides support for this through a "whr" query string parameter.  If you add this query string parameter when navigating to ADFS then it will do a look up of the whr parameter to find a matching IP.  If it finds one, then it automatically redirects you to that IP.  In ADFS 1.x that parameter was a URN, like urn:foo:monkey.  In ADFS 2.0 it takes the format of a Uri.  To find the value you should use for the whr query string parameter, open up the AD FS 2.0 Management application.  Expand the Trust Relationships...Claims Provider Trusts node, then double-click on the IP that you want used.  Click on the Identifiers tab and you will see a grayed out edit box called Claims provider identifier:.  The value in there is what should be in your whr query string parameter.  For example, in my environment the IP identifier is http://tgen1.terri.local/adfs/services/trust.  In order to get users of a web application to redirect immediately over to that IP I need to append the following to the normal login query string that SharePoint uses:  &whr=http://tgen1.terri.local/adfs/services/trust  When I do that I no longer see the IP selection page in ADFS, I just go directly to logging in.

Now, getting that query string appended is not simple work, and for now is beyond the scope of what I'll be covering in this post.  However suffice to say that you can do the trick with an HttpModule.

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment