How to use ADFS with SharePoint hosted apps in Sharepoint 2013
This blog will provide some handy information for Setting up Hosted Apps in SHAREPOINT 2013 with ADFS 2.0
As stated in https://technet.microsoft.com/en-us/library/jj219806.aspx, SharePoint 2013 SharePoint hosted apps support SAML authentication.
Each SharePoint hosted apps has a unique DNS domain, so each also have a unique return URL (when user comes back from STS) that is typically https://spapp-UNIQUEID.appsContoso.local/_trust
To be able to use ADFS 2 with SharePoint hosted apps, the following must be done:
- In SharePoint: Create a unique realm per SharePoint hosted app
- In ADFS: Create a relying party per SharePoint hosted app
Create a unique realm per SharePoint hosted app in SharePoint:
$t=Get-SPTrustedIdentityTokenIssuer "TRUSTNAME"
$uri=new-object System.Uri("https://spapp-UNIQUEID.appsContoso.local")
$t.ProviderRealms.Add($uri, "https://spapp-UNIQUEID.appsContoso.local")
$t.Update()
Create a unique relying party in ADFS:
The relying party should be created with following settings:
WS Federation Passive Endpoint: POST to https://spapp-UNIQUEID.appsContoso.local/_trust
Identifier: https://spapp-UNIQUEID.appsContoso.local
Issue the same claims as the SharePoint web application hosting the app.
The drawback of this method is that each time an app is installed, a realm must be created in SharePoint and a relying party must be created in ADFS.
Additional Information
It is possible to configure SharePoint to specify the return URL in a query string called wreply. It is added to the URL that redirects user to the STS. This behavior is enabled with following PowerShell commands:
----------------------------------------------------------
$t=Set-SPTrustedIdentityTokenIssuer "TRUSTNAME"
$t.UseWReplyParameter=$true
$t.Update()
----------------------------------------------------------
But ADFS 2 does not honor the reply parameter so this setting does not help in this scenario.