1

I am trying to work out an SSO solution for a customer of mine who is using SharePoint online with Office 365.

I have the following test environment:

  • Domain Server (+ certificate services)
  • ADFS Server
  • ADFS Proxy Server (non domain joined)
  • Server for testing (IE+Firefox+Chrome installed)
  • Web server for sample application

The ADFS server is federated with Office 365.

The SharePoint online website is (name changed) A.sharepoint.com The internal domain's (Windows) DNS name is corp.B.com. (B is not the same as A in the SharePoint.com domain, is this an issue?) The domain (internet) used for Office 365 is B.com. An UPN suffix was created and is used on the accounts of corp.B.com to allow logging in as user@B.com.

The ADFS solution is working just fine (go to SharePoint Online or Office 365, get prompted for credentials, type UPN, get redirected to ADFS and auto-logged in).

What I'm trying to do is to use SharePoint auto-acceleration to bypass that login prompt, however after enabling the SharePoint acceleration on A-admin.sharepoint.com as suggested and enabling it for the domain B.com, nothing changed; still the same login prompt and no auto-acceleration.

I'm clueless as how to debug this or where to look any further.

Edit: Smart links are not an option, I'm looking at getting this working cleanly and not for an ADFS 2 solution but for something forward compatible and supported.

SamErde
  • 3,409
  • 3
  • 24
  • 44
Ronan Thibaudau
  • 73
  • 11
  • Note: When prompted for credentials, you are typing the user's UPN, not their email address. They usually look identical, but are two separate attributes. – SamErde Jul 05 '16 at 17:32
  • @SturdyErde I'm not sure how this relates to the question, the point of auto acceleration is to "not" have to type any credentials at all, neither their UPN nor their email (and indeed in this case they are the same) – Ronan Thibaudau Jul 05 '16 at 17:34
  • It's part of the process that you described and are trying to improve by using auto accelerate. Simply trying to help you (and your customer) understand the process that is happening because many users confuse UPN and email address. Call me the technical equivalent of the grammar police here. :) – SamErde Jul 05 '16 at 17:36

2 Answers2

2

The issue is that the domain that was required for the SignInAccelerationDomain wasn't the domain used as the UPN for office 365 but the full domain name of the Windows domain. So i had to enable in my example the acceleration for "corp.B.com" and not for "B.com".

Ronan Thibaudau
  • 73
  • 11
1

Did you use the Set-SPOTenant commandlet?

Set-SPOTenant -SignInAcceletationDomain “mydomain.com”

Set-SPO Tenant -EnableGuestSignInAcceleration $true

There must also be only one identity provider in your AD. SharePoint Online must have a specific site to target when accelerating. The organization can have multiple domains as long as there is a single AD FS endpoint.

For more info:

https://support.office.com/en-us/article/enable-auto-acceleration-for-your-sharepoint-online-tenancy-74985ebf-39e1-4c59-a74a-dcdfd678ef83

El Chapo Gluzman
  • 396
  • 2
  • 16
  • Yes i did set it using that command, this article is the first (and pretty much) only one i've found on the subject. I've found the issue today and fixed it. – Ronan Thibaudau Jul 05 '16 at 17:31
  • Zinovy while it wasn't the answer i was looking for there's no point letting the Bounty go to waste so +100 for you for trying to help :) – Ronan Thibaudau Jul 08 '16 at 15:42