How to make SPTrustedIdentityTokenIssuer include wauth in request URL to /adfs/ls?

Question

Hi everyone,

I've set up SharePoint Foundation 2010 web application to use claims based authentication with ADFS 2.0 as authentication provider. However, I'm unable to include wauth parameter into the URL that sharepoint passes to ADFS.

I've tried modifying the SharePoint web.config in IIS virtual directory by adding the authenticationType attribute to wsFederation element, but that made no difference. I've also examined properties and methods of SPTrustedIdentityTokenIssuer class to try to set this up through PowerShell but I found nothing. And since I can't make SharePoint send the wauth parameter, the authentication method always falls back to the first one listed in /adfs/ls/web.config in localAuthenticationTypes section.

On the other hand, if I manually add the wauth parameter to the URL that SharePoint creates and enter it in the browser - ADFS behaves perfectly and respects the requested authentication method over the one specified as primary in it's web config. So the problem doesn't seem to be with ADFS.

Please let me know is it possible to force the SPTrustedIdentityTokenIssuer to include the wauth parameter in URL sent to ADFS and how it can be accomplished.

Thank you very much in advance.

Regards,

Tomislav

Answer 1

Hello Tomislav,

Please check the below link and see if it helps

http://msdn.microsoft.com/en-us/library/ee517290.aspx.

Thanks,

Manas

---

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread."

Answer 2

Hi Manas,

first let me thank you for attempting to answer my question. I've more or less put this scenario into a "no-go" category.

I've looked into the link you suggested but I'm not sure I understand how to apply it to resolve my problem. I know that you aren't suggesting that I use the step-up authentication as such but rather (if I understand correctly) that I set up a custom login page on my SharePoint application that would somehow utilize the wif:FederatedPassiveSignIn control to request authentication from ADFS instead of relying on SPTrustedIdentityTokenIssuer.

However, if I understand the concepts behind SharePoint claims based authentication correctly, this could have an unpredictable effect on behavior of various SharePoint functionalities and would probably require customization of application/site master pages. I was actually looking for a way to influence the already supported scenario (deploying ADFS based memberhip provider through PowerShell) to include the wauth parameter into the parameter string of the URL used to request authentication from ADFS.

As far as I'm aware nothing short of writing a custom ADFS based memberhip provider for SharePoint can actually solve this problem. Unfortunately, the way that SharePoint integrates with IIS seems to override possible solutions that might work in pure ASP.NET web application.

If I missunderstood your idea please correct me and elaborate a bit how you would apply it in this situation.

Thanks again,

Tomislav

Answer 3

Hello Tomislav,

The application can specify the required authentication method to the claims provider through a parameter, wauth, which is defined in the WS-Federation specifications. Alternatively, the application can externalize all aspects of the authentication to the claims provider and specify an application-specific claim as a required claim (for example, the privilegelevel claim with the possible values “lowvalue” and “highvalue”).

In this sample scenario, the wauth parameter is used with possible custom values of “authstrength1” for low-value resources, and “authstrength5” for high-value resources.

The following code sample shows how the FederatedPassiveSignIn control can be used to tag the authentication strength values to pass them to the claims provider. Note that the AuthenticationType parameter is serialized as the WS-Federation wauth parameter on the wire.

<wif:FederatedPassiveSignIn

AuthenticationType=https://WIFSample/authstrength1 ID="FederatedPassiveSignIn1" runat="Server"

Issuer="https://sts1.contoso.com/AuthPassive/Default.aspx" SignInButtonType="Link"

TitleText="Click the link below to access low value resources"

SignInText="Access low value resources"

Realm="https://web1.contoso.com/AuthAssuranceRP/Default.aspx" OnSignInError="FederatedPassiveSignIn_SignInError"

DisplayRememberMe="false" VisibleWhenSignedIn="false">

</wif:FederatedPassiveSignIn>

My understanding here:
               - Microsoft.IdentityModel.Web.WSFederationAuthenticationModule  (WsFederation)is the  base class for the claims on which SharePoint claims class is derived.

NOTE: This  gives us windows token & not  SAML token. So, this is valid to use only with Windows classic mode SharePoint site 2010. Claims cannot be supported though we use c2w (Claims to windows token service) for converting windows to claims token. SharePoint claims class derived from this : Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule  ( must have added additional functionality here).

As I see you are using SharePoint  module & wants to add wauth parameter value. 

In the above given example; we see value assigned to AuthenticationType, which we can setup in the web.config file , have you tried setting up the same please let me know.

Thanks,

Manas

 

 

 

---

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread."

Answer 4

Hi Manas,

thank you for your suggestion. I have tried modifying web.config earlier with no success (I mentioned this attempt in my question). To help you understand my problem better I'm attaching a link to the Steve Peschka's blog post I followed to set up ADFS claims based authentication on SharePoint:

http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx

If you check it out you will see that the procedure described involves setting up a custom SharePoint claims provider that forwards authentication requests to ADFS. It's all done without any coding (just some PowerShell scripting).

I've also asked Steve this same question about wauth on his blog post and it seems there's no way to force the SPTrustedIdentityTokenIssuer to include the wauth parameter in authentication request URL. I've confirmed that wauth is properly processed by ADFS by manually editing the original (SharePoint issued) URL.

I believe you are right regarding the class inheritance but I've seen more than once that SharePoint classes override behavior of inherited classes and I'm afraid this is the case here too.

I have far too little knowledge to be certain about this but as far as my understanding goes I'm guesing that:

• in order to implement the FederatedPassiveSignIn control I actually need to be able to access an aspx page that holds the control (that doesn't happen in the above setup - SharePoint web application routes me to authenticate with ADFS before I'm allowed to access any SharePoint content),
• authentication method implemented by utilizing FederatedPassiveSignIn control (in the way described) wouldn't show up as authentication provider in SharePoint Central Administration (and this is really not an acceptable option for me).

Am I wrong in my assumptions in those 2 points?

One more thing to consider (which I haven't pointed out before - sorry about that) is that this is not targeted at single specific SharePoint deployment (in which case a heavy SharePoint customization could be an option to consider). I'm looking for a general purpose solution that can be deployed easily in many different SharePoint scenarios (both simple and relatively complex).

Regards and thanks,

Tomislav

Answer 5

Hello Tomislav,

I did look at couple of options and realized that I do not have a ready answer for you, your question falls into the paid support category which requires a more in-depth level of support.  Please visit the below link to see the various paid support options that are available to better meet your needs: http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone. If you are a MSDN / TechNet subscriber, you can also contact our support by using your free support incidents.

However, other members of the community may still have encountered the issue you're seeing, and have a solution to offer!

Thanks ,

Manas

---

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread."

Answer 6

Tomislav, What changes to the web.config did you make? For a sample claimapp, I edited the web.config and saw the wauth being passed. Then on the CP adfs side, it autorouted to the correct authentication method requested. In my example I added: authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient" to the wsFederation child element of <federatedAuthentication>. ie: <microsoft.identityModel> <federatedAuthentication> <wsFederation passiveRedirectEnabled="true" issuer="<sp sts uri>" realm="<myapp uri>" requireHttps="true" authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"/> <cookieHandler requireSsl="true" /> </federatedAuthentication> . . . etc. This gave me a querystring parameter of &wauth=urn%3aoasis%3anames%3atc%3aSAML%3a2.0%3aac%3aclasses%3aTLSClient when sent to the IdP/CP sts. Hope this helps. Jeff

Answer 7

Jeff,

thanks for your answer. I've tried including various parameters but SharePoint app seemed to ignore them. I couldn't figure from your post if your claimapp is a SharePoint application or a "pure" IIS app? So far I've gotten more or less definitive answers that SharePoint layer that sits on top of IIS (sorry for the simplified terminology) ignores most (or all?) of the stuff in wsFederation element. However if you've gotten your SharePoint to include wauth in authentication request I'd be grateful if you could post the steps you performed to configure authentication provider for your SharePoint app.

Regards,

Tomislav

Answer 8

Tomislav, I'm curious if you ever had any success with this?

Answer 9

Hi cmrobino,

Unfortunately no. I had been experimenting with this only to gain access to SharePoint from Windows Phone 7 Office Hub without FBA or UAG. As I found an alternative solution for that some time ago I abandoned the ADFS approach. If I ever revisit the subject and find a solution I'll post it here.

Regards,

Tomislav