none
Problem with WIF authentication using Azure AD with federated domain RRS feed

  • Question

  • Hi

    I'm building an taskpane app that is secured using Windows Identity Foundation targeting Azure AD. The app page loads fine outside Word, but when launched from there login causes a new window to open where the authentication finishes and the app is shown. The app window stays on the Redirection page that opens our on-premises ADFS logon page.

    I tried adding app domains like so:

      <AppDomains>
        <AppDomain>https://localhost:44301</AppDomain>
        <AppDomain>https://fs.OURDOMAIN.fi</AppDomain>
        <AppDomain>http://fs.OURDOMAIN.fi</AppDomain>
        <AppDomain>https://login.windows.net</AppDomain>
        <AppDomain>https://sts.windows.net</AppDomain>
        <AppDomain>https://login.microsoftonline.com</AppDomain>
        <AppDomain>http://login.microsoftonline.com</AppDomain>
        <AppDomain>https://secure.aadcdn.microsoftonline-p.com</AppDomain>    
      </AppDomains>

    ...but they do not make a difference. My guess is that they come to play after the app is loaded, not during logon.

    Does anyone have any ideas how to fix this?

    I'll try to see if this happens on a domain that is not federated. In my case I can switch to using Windows Integrated authentication as the Web Role will have access to AD, but unless I'm doing something wrong someone else is bound have this same problem.

    Cheers,
    Toffe

    Tuesday, May 21, 2013 7:00 AM

All replies

  • It seems like an non-federated domain behaves the same. I also tried creating a workaround by using an entry page with a link to actual app to see if my premise of AppDomains coming in to play later was right. It didn't help and actually opened the app in a new window right away so I'm missing something I guess.

    Anyway I switched over to using Windows Integrated for now so I can continue development. I need to know who the user is so I can impersonate him to a backend system so some kind of mechanism is needed. I guess OAuth 2.0 would work, but it seems like it's not available in Azure AD yet. There is some reference to a Preview, but I couldn't find anything on how to use it. Using Windows Integrated means that I have to domain join the PaaS instance I'm going to run it on. :-/

    It would be great if someone would try this out and see if they have the same problem. To test make an Office App (manifest) that points to a web page protected with WIF and see what happens. It would be reassuring to know that it is possible at least.

    Wednesday, May 22, 2013 7:11 AM