locked
OAuth2 on ADFS with Multiple Claims Provider Trusts RRS feed

  • Question

  • ADFS 3.0 introduced OAuth2 Authorisation Code flow. We have an existing ADFS Server with existing Relying Parties, External Claims Providers and Claims Rules. The new OAuth flow links into all that by requiring the Relying Party Id to be supplied as the "resource" parameter on requests to the ADFS OAuth authorize endpoint.

    When I hit that endpoint ADFS shows me the Home Realm selection page with an option for each of my configured Claims Providers.

    With the Saml and WS-Fed flows it is possible to specify the "home Realm" on the request to ADFS which bypasses this screen.

    Is this possible with the OAuth2 flow?

    If it is it is undocumented from what I can see so I assume the answer is no. So failing that, what workaround are there if I don't want to present the user with a list of claims providers?

    Thursday, October 20, 2016 11:28 AM

Answers

  • You can bypass HRD with the following:

    Set-AdfsRelyingPartyTrust -TargetName claimapp -ClaimsProviderName @("Active Directory")

    In that case we'll assume that users are always coming from AD. But it's your choice to pick another CP.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by A McCluggage Friday, October 21, 2016 10:22 AM
    Friday, October 21, 2016 4:37 AM

All replies

  • You can bypass HRD with the following:

    Set-AdfsRelyingPartyTrust -TargetName claimapp -ClaimsProviderName @("Active Directory")

    In that case we'll assume that users are always coming from AD. But it's your choice to pick another CP.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by A McCluggage Friday, October 21, 2016 10:22 AM
    Friday, October 21, 2016 4:37 AM
  • That works for me! Thanks
    Friday, October 21, 2016 10:23 AM