locked
ADFS 2016 - Limit claims providers for WebApiApplications RRS feed

  • Question

  • I think I encounter an anomly when limiting claims providers for WebApiApplications.

    Below I have written down how i normally go about this for a 'normal' relying party trust. Next to that, i have applied the same configuration to the new WebApiApplications of ADFS 2016, with different results.

    The use case is that i want to limit the list of IDP's available for a specific WebApiApplication. I have been able to do this with javascript, but do not find this to be an appropriate solution, as this can be done out of the box for relying party trusts.

    SERVICE PROVIDER SCENARIO:

    Get-AdfsRelyingPartyTrust |select name,claimsprovidername

    --> shows {} for our particular relying party trust. This means all configure claims providers are enabled (in this case,"FedICT Fas" and "Active Directory")

     


    Which shows the following login page:


     

    Set-AdfsRelyingPartyTrust -TargetName "<targetname>" -ClaimsProviderName "Active Directory"

    ---> Our relying party trust now only shows only "Active Directory"


     

    Which now automatically redirects us to our "Active Directory" IDP since that is the only option specified.


     

    When we restore the ClaimsProviderName attribute we get both options again.

    Set-AdfsRelyingPartyTrust -TargetName "<tagetname>" -ClaimsProviderName @()

    Get-AdfsWebApiApplication | select name,claimsprovidername


      

     

     

     

    WEB API APPLICATION SCENARIO

     

    However, with an Oauth2 enabled web-api, with only the "FedICT FAS" claims provider is enabled.


     

    When performing SP intiated signon, on the ADFS page, we get both options… I would expect we only got the "FedICT FAS" option as is the case with a normal claims provider.


     

    Restarting the ADFS service does not help, nor does rebooting the server.

     

    The request URL (if helpful at all) looks like this:

     

    https://sts.domain.local/adfs/oauth2/authorize

    ?response_type=id_token

    &client_id=71ab6680-a452-aaaa-aaaa-eb4dadc8b9c6

    &redirect_uri=https://redirect-uri.domain.local//

    &state=9c0e58ae-bd20-442f-92c6-dcd567809090

    &client-request-id=e51afa41-aaaa-aaaa-9bb2-6340b2e269aa

    &x-client-SKU=Js

    &x-client-Ver=1.0.15

    &nonce=fabe1c84-eaa6-4b20-9845-adba928ee3cc

    Friday, April 6, 2018 12:45 PM