How to use ADFS with SharePoint hosted apps in Sharepoint 2013

This blog will provide some handy information for Setting up Hosted Apps in SHAREPOINT 2013 with ADFS 2.0

As stated in, SharePoint 2013 SharePoint hosted apps support SAML authentication.

Each SharePoint hosted apps has a unique DNS domain, so each also have a unique return URL (when user comes back from STS) that is typically https://spapp-UNIQUEID.appsContoso.local/_trust

To be able to use ADFS 2 with SharePoint hosted apps, the following must be done:

- In SharePoint: Create a unique realm per SharePoint hosted app
- In ADFS: Create a relying party per SharePoint hosted app

Create a unique realm per SharePoint hosted app in SharePoint:

$t=Get-SPTrustedIdentityTokenIssuer "TRUSTNAME"
$uri=new-object System.Uri("https://spapp-UNIQUEID.appsContoso.local")
$t.ProviderRealms.Add($uri, "https://spapp-UNIQUEID.appsContoso.local")

Create a unique relying party in ADFS:

The relying party should be created with following settings:
WS Federation Passive Endpoint: POST to https://spapp-UNIQUEID.appsContoso.local/_trust
Identifier: https://spapp-UNIQUEID.appsContoso.local

Issue the same claims as the SharePoint web application hosting the app.
The drawback of this method is that each time an app is installed, a realm must be created in SharePoint and a relying party must be created in ADFS.


Additional  Information

It is possible to configure SharePoint to specify the return URL in a query string called wreply. It is added to the URL that redirects user to the STS. This behavior is enabled with following PowerShell commands:
$t=Set-SPTrustedIdentityTokenIssuer "TRUSTNAME"
But ADFS 2 does not honor the reply parameter so this setting does not help in this scenario.


POST BY: Yvan Duhamel [MSFT]