0

ADFS 3.0 introduced OAuth2 Authorisation Code flow. We have an existing ADFS Server with existing Relying Parties, External Claims Providers and Claims Rules. The new OAuth flow links into all that by requiring the Relying Party Id to be supplied as the "resource" parameter on requests to the ADFS OAuth authorize endpoint.

When I hit that endpoint ADFS shows me the Home Realm selection page with an option for each of my configured Claims Providers.

With the Saml and WS-Fed flows it is possible to specify the "home Realm" on the request to ADFS which bypasses this screen.

Is this possible with the OAuth2 flow?

If it is it is undocumented from what I can see so I assume the answer is no. So failing that, what workaround are there if I don't want to present the user with a list of claims providers?

Andy McCluggage
  • 101
  • 4
  • in saml these are known as wayfless urls - is this the flow you mean? - there is also unsolicited profile, I think MS refer to these as vanity urls or some such – Sum1sAdmin Oct 20 '16 at 11:29
  • In WS-Fed it was done using the "whr" parameter. If the request to adfs/ls endpoint included this parameter and it matched the id of one of the Claims Provider Trusts, ADFS would skip the Home Realm selection screen. Could you clarify the rest of your comment please? – Andy McCluggage Oct 20 '16 at 12:07
  • so I'm not used to ws-fed or the other ADFS jargon - but are you trying to bypass users 'discovering' their identity provider? have you set up vanity urls? - for example when you visit your SSO services do you visit service.mydomain.com or do you visit service.someoneelsesdomain.com - if you start the flow at the service provider it has to build the authentication URL's - in saml wayfless (where are you from -less) and in ADFS vanity urls - + kerberos = true SSO – Sum1sAdmin Oct 20 '16 at 12:28
  • Thanks for clarifying. We have used that vanity url technique so we know the home realm of the client before hitting ADFS. That all work fine for Saml/WS-Fed. It relies on those protocols allowing that home realm id to be passed in to ADFS when stating the process. My question was about OAuth. Relatively recently added to ADFS and it doesn't seem to support passing in the home realm id. – Andy McCluggage Oct 20 '16 at 14:06

2 Answers2

1

Answered here: https://social.technet.microsoft.com/Forums/en-US/c3703674-6cd8-461f-9f67-ecfaa69c6817/oauth2-on-adfs-with-multiple-claims-provider-trusts?forum=ADFS

You can bypass HRD with the following:
Set-AdfsRelyingPartyTrust -TargetName claimapp -ClaimsProviderName @("Active Directory")
In that case we'll assume that users are always coming from AD. But it's your choice to pick another CP.

janv8000
  • 210
  • 2
  • 7
-1

i use this to do the trick: https://blog.kloud.com.au/2018/06/14/auto-redirect-adfs-4-0-home-realm-discovery-based-on-client-ip/

instead of IP, i read referrer \ origin or any other parameter i can inject to the query-string it's works !!!

Yaron Hakon
  • 1
  • Link only answers are notorious for rotting after time (some of mine from '12 have decayed this way). Please add at least a summary of the answer (being aware of copyright) to make this an answer that will last. janv8000 did this. – sysadmin1138 Jul 09 '20 at 18:37