This blog will provide some handy information for Setting up Hosted Apps in SHAREPOINT 2013 with ADFS 2.0
As stated in http://technet.microsoft.com/en-us/library/jj219806.aspx, SharePoint 2013 SharePoint hosted apps support SAML authentication.
Each SharePoint hosted apps has a unique DNS domain, so each also have a unique return URL (when user comes back from STS) that is typically https://spapp-UNIQUEID.appsContoso.local/_trust
To be able to use ADFS 2 with SharePoint hosted apps, the following must be done:
– In SharePoint: Create a unique realm per SharePoint hosted app
– In ADFS: Create a relying party per SharePoint hosted app
Create a unique realm per SharePoint hosted app in SharePoint:
Create a unique relying party in ADFS:
The relying party should be created with following settings:
WS Federation Passive Endpoint: POST to https://spapp-UNIQUEID.appsContoso.local/_trust
Issue the same claims as the SharePoint web application hosting the app.
The drawback of this method is that each time an app is installed, a realm must be created in SharePoint and a relying party must be created in ADFS.
It is possible to configure SharePoint to specify the return URL in a query string called wreply. It is added to the URL that redirects user to the STS. This behavior is enabled with following PowerShell commands:
But ADFS 2 does not honor the reply parameter so this setting does not help in this scenario.