Using the WHR Parameter with SharePoint 2010 and SAML Auth
I've seen lots of questions and confusion (and was a little lost myself for a bit) on the fixes in SharePoint 2010 SP1 + June CU to enable use of the WHR parameter. This does in fact work now but requires a couple of things:
- Configure the SPTrustedIdentityTokenIssuer
The SPTrustedIdentityTokenIssuer has a property called UseWHomeRealmParameter now; that must be set to true in order for SharePoint to pass the WHR parameter along to the IdP. Here's a short powershell snippet that I used to do this:
$ap = get-sptrustedidentitytokenissuer -identity "ADFS with Roles"
$ap.UseWHomeRealmParameter = $true
Pretty simple - now SharePoint will send along any WHR parameter that it finds.
- Write or do "something" to append the WHR parameter
In my case I wrote an HttpModule to append the WHR parameter. Specifically here is how I did it:
- In the Init override I added a handler for the BeginRequest event
- In the code for the BeginRequest event I look to see if:
- The request is headed to _trust/default.aspx AND
- The request does NOT have a WHR parameter included yet
- If the request meets the two criteria described above, I create a redirect back to the _trust/default.aspx. When I do that I:
- Add every query string parameter that was there before
- Append my WHR parameter to the end
- Response.Redirect back to _trust/default.aspx
That was it. I tested this using an InPrivate browser session in IE because it won't use the authentication cookies that could otherwise throw off the test results. So far all tests have worked just as hoped - I've also verified in Fiddler that the WHR parameter is now flowing over to ADFS (in my case) as desired. I've attached the source code for my simple litte project to this posting to help get you started.