locked
Need to access a web page by bypassing the ADFS Sign In page. RRS feed

  • Question

  • Hi,

    We are using ADFS (3.0) authentication in our web application. We have a scenario where a user should be able to access a page without authentication however in an ADFS environment he gets the ADFS Sign in (Home Realm Discovery) page while trying to access that page from the web browser.

    For e.g. if a user accesses https://www.xyz.com/prod/quickentry.aspx then the quick entry page should be displayed without the Sign In page so that the user can create a basic record. This scenario works in a non ADFS environment but in an ADFS enabled environment the ADFS Sign in page is displayed.

    In our web.config we have an existing location path key with value as "FederationMetadata". We updated this value to "quickentry.aspx". After this when we accessed the above URL the quick entry page was displayed instead of the ADFS Sign In page. However on the quick entry page the fields and buttons are not displayed properly. It seems that the css is totally off on this page.

    Is something missing? If this is not the right way then please let me know if there is any way we can achieve the functionality to bypass the ADFS Sign in page and access the aspx page directly?

    Thank you.


    • Edited by sferro Monday, June 6, 2016 9:31 AM
    Monday, June 6, 2016 7:43 AM

Answers

  • The correct way to do this is to decide what pages are not protected and then use constructs like:

    <location path="xxx.aspx">
        <system.web>
            <authorization>
            <allow users="*"/> // This will allow access to everyone
            </authorization>
        </system.web>

    or remove any [Auth] decoration from the classes.

    You also need to include .css and .html files.

    By default ADFS protects everything.

    Tuesday, August 16, 2016 2:08 AM

All replies

  • Well I am not sure I am following... But one thing here, the application decides of what is accessible without access control. Not the ADFS server. So I'd reach out to the application owner to ensure that this or that URLs are fine without no identity/authorization context.

    Or am I missing something obvious?

    Others?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, June 7, 2016 1:24 PM
  • I added another "location" path entry for the css file, same as the existing location path entries for FederationMetaData xml and quickentry.aspx, in the application's web.config and that solved the problem. Had to add few more path entries. Now I am able to bypass the ADFS Sign In page and can directly access the quickentry page in the web browser with no css issues.

    Thanks.


    Wednesday, June 8, 2016 5:56 AM
  • I highly doubt that this is a supported nor recommended solution. I am missing something here. If the content of the page doesn't require authentication, it shouldn't ask for it in the first place. Are we talking about WAP exclusion URL maybe? This puzzles me.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, June 13, 2016 12:54 PM
  • Any update?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, August 16, 2016 12:02 AM
  • The correct way to do this is to decide what pages are not protected and then use constructs like:

    <location path="xxx.aspx">
        <system.web>
            <authorization>
            <allow users="*"/> // This will allow access to everyone
            </authorization>
        </system.web>

    or remove any [Auth] decoration from the classes.

    You also need to include .css and .html files.

    By default ADFS protects everything.

    Tuesday, August 16, 2016 2:08 AM