none
AD FS + WAP + WIA breaks OneDrive mobile app RRS feed

  • Question

  • Can anyone confirm that the OneDrive mobile app is not supposed to support the ADFS+WAP + WIA setup (the non-trust relying party setup) ?

    I'm trying to provide access  to our on-prem environment from mobile, but just can't get it working. My setup works for the browsers, but not for the apps.

    If I publish using the non-trust relying party option, the OneDrive iOS app offers to login using the browser, shows my ADFS login screen, and after the successful login just crashes. If I open the app again, it crashes instantly. On the third try it does start, but never loads anything from Sharepoint - all the tabs are just empty, and after a while it asks me to "connect to wi-fi or mobile network".

    The SAML publishing option got me into even more trouble, that's outlined in another thread.

    If I just publish the Sharepoint server to the Internet directly (and keep the default WIA option), the mobile apps work, but that can't be the recommended external publishing option, can it?

    Thursday, December 13, 2018 6:33 PM

Answers

  • Hello Mike,

    Actually we don't have a requirement to specifically use SAML, it just came up because it's an auth mode frequently used within the ADFS + WAP publishing scenario.

    Still, I think if you're going to support SAML with mobile OneDrive, then naturally my scenario would need to be covered as well - the mobile app would have to support login forms in order to request SAML tokens.


    Anyway, I've sort of developed a workaround.

    I've found that the app works with WAP+passthrough auth (which is to be expected, since in passthrough mode WAP is basically transparent). So my thinking was, "what if my browser-based users connected through WAP with ADFS pre-auth with SSO, and possibly MFA, and all the other AD FS goodies, but my app-based users connected with straight WIA?"

    To achieve this I've published my main Sharepoint web application using ADFS+WAP+non-claim relying party mode, and for the Onedrive app I've extended the application to a new "Extranet" zone (name is not important) with a different domain name. Then I've published that new URL with WAP using passthrough auth mode.

    So now I've got two zones - the default portal.domain.com, and extranet onedrive.domain.com, their corresponding AAM mappings, and two publishing rules in the WAP - AD FS  for portal.domain.com, and passthrough for onedrive.domain.com.

    In my preliminary tests this solution does work, although, obviously, the security is somewhat lower than the full AD FS setup would be.

    That said, the links are now inconsistent between the app and portal, so if a URL from the app is sent to a browser-based user, he would get the WIA prompt instead of the ADFS login portal, which is not good. And if the link from the browser-based user is somehow opened with an app, it would not work at all. So not a perfect solution.

    It would be great for the apps to support pre-auth.


    • Edited by Vasily T Friday, December 14, 2018 5:07 PM
    • Marked as answer by Vasily T Tuesday, December 18, 2018 7:07 AM
    Friday, December 14, 2018 4:59 PM

All replies

  • OneDrive does not support pre-auth. You would need to expose AD FS so it performs Windows integrated auth instead.

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, December 13, 2018 6:57 PM
  • Thank you Trevor,


    So what's the current consensus on the best way of publishing on-prem Sharepoint?


    I thought the AD FS+WAP preauth with non-claims aware relying party trust was the best option, but I understand that the onedrive mobile app does not support that.

    If the apps do not support preauth at all, the ADFS+WAP+SAML will not work too.

    I guess I could do the ADFS+WAP with passthrough auth (do apps support that?), but I would lose the SSO capabilities with the other systems - say, Exchange OWA, ,and lose the nice login form, and, worst of all, lose all the security options offered by ADFS.

    Finally, I can just publish Sharepoint directly and omit the ADFS+WAP alltogether. This seems to be less secure, however compared to WAP with pass-through auth, it's not that much of a difference TBH.

    Did I, by chance, miss anything?

    My goal is to provide the domain member devices with access sctrictly inside the network perimiter, and provide access for non-domain joined devices from the outside. The onedrive app was one of the key factors in the decision to deploy Sharepoint...

    The Azure and other cloud options cannot be considered due to decisions made upstairs.

    • Edited by Vasily T Friday, December 14, 2018 9:22 AM
    Friday, December 14, 2018 9:20 AM
  • SAML support is coming for OneDrive. However, its still in development and our PG is looking for candidates with blocked 2019 deployments to provide feedback to ensure what is created meets the needs the most common SAML scenarios.

    Is your SharePoint 2019 deployment block? If so, how large is your user base effected?

    Regards,


    Mike Lee

    Friday, December 14, 2018 2:34 PM
  • Mike, this might be a different scenario. This would be that the OD client needs to support FBA as SAML isn't involved. And by FBA, I just mean a service that provides pre-auth. This could be done through WAP + ADFS, F5 pre-auth, or even Azure AD App Proxy (which would be a good way to front SharePoint as you can expose direct WIA).

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, December 14, 2018 3:31 PM
  • Hello Mike,

    Actually we don't have a requirement to specifically use SAML, it just came up because it's an auth mode frequently used within the ADFS + WAP publishing scenario.

    Still, I think if you're going to support SAML with mobile OneDrive, then naturally my scenario would need to be covered as well - the mobile app would have to support login forms in order to request SAML tokens.


    Anyway, I've sort of developed a workaround.

    I've found that the app works with WAP+passthrough auth (which is to be expected, since in passthrough mode WAP is basically transparent). So my thinking was, "what if my browser-based users connected through WAP with ADFS pre-auth with SSO, and possibly MFA, and all the other AD FS goodies, but my app-based users connected with straight WIA?"

    To achieve this I've published my main Sharepoint web application using ADFS+WAP+non-claim relying party mode, and for the Onedrive app I've extended the application to a new "Extranet" zone (name is not important) with a different domain name. Then I've published that new URL with WAP using passthrough auth mode.

    So now I've got two zones - the default portal.domain.com, and extranet onedrive.domain.com, their corresponding AAM mappings, and two publishing rules in the WAP - AD FS  for portal.domain.com, and passthrough for onedrive.domain.com.

    In my preliminary tests this solution does work, although, obviously, the security is somewhat lower than the full AD FS setup would be.

    That said, the links are now inconsistent between the app and portal, so if a URL from the app is sent to a browser-based user, he would get the WIA prompt instead of the ADFS login portal, which is not good. And if the link from the browser-based user is somehow opened with an app, it would not work at all. So not a perfect solution.

    It would be great for the apps to support pre-auth.


    • Edited by Vasily T Friday, December 14, 2018 5:07 PM
    • Marked as answer by Vasily T Tuesday, December 18, 2018 7:07 AM
    Friday, December 14, 2018 4:59 PM
  • Hi

    What do you mean by expose ADFS ?

    .the WAP serves as a proxy to the internal ADFS and can support WIA apps.

    Thanks

    Wednesday, September 18, 2019 11:32 AM
  • Hi mike,

    We have exactly the same scenario.

    Does the office mobile apps (onedrive, SharePoint,word,excel,..) now supports claims auth with WAP+ADFS ?

    Wednesday, September 18, 2019 11:41 AM
  • Office mobile apps do not support SharePoint on-prem.

    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, September 18, 2019 3:06 PM
  • Office mobile apps do not support SharePoint on-prem.

    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Please provide an official article from Microsoft that confirms this. I wonder how come Microsoft releases SharePoint 2016 with no support to mobile apps like OneDrive and sharepoint.

    Also how can the same mobile app supports the cloud version of SharePoint ?

    Thanks,

    Wednesday, September 18, 2019 4:10 PM
  • The article only applies to O365:

    https://support.office.com/en-us/article/install-and-set-up-office-on-an-iphone-or-ipad-9df6d10c-7281-4671-8666-6ca8e339b628?ui=en-US&rs=en-US&ad=US

    OneDrive client does support SharePoint Server 2019 which introduced support for NGSC as long as the Web Application is configured with NTLM.


    Trevor Seward

    Office Apps and Services MVP



    Author, Deploying SharePoint 2019

    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, September 18, 2019 4:21 PM