ADFS claims based SharePoint 2010 and embedded IFrame ASP.NET claims aware application single sign on

3
votes

I have a SharePoint 2010 web site configured for Claims only as the Replying Party to ADFS. I also have an ASP.NET application configured for Claims using WIF + Extension for SAML 2.0 CTP as the Replying Party to the same ADFS server.

If I navigate to SharePoint, I get redirected to the ADFS server (https://.../adfs/ls?...) and presented with a Windows Login prompt. If I then navigate in the same browser instance to my ASP.NET application, the redirect occurs quickly to the same ADFS server, automatically authenticates, and redirects back to the ASP.NET application without a security prompt. As in How to share authentication context between a SharePoint 2010 Site and ASP.NET applications.

The issue occurs when I embed the ASP.NET application within an IFrame in a SharePoint web part. When starting a new browser instance and navigating to SharePoint, I get prompted the windows login prompt. As the page loads up to the IFrame I then get a second Windows Prompt for the same server for the embed ASP.NET application. If I cancel the prompt I get a 401 Unauthorized in the IFrame. If I navigate to the ASP.NET application, I am not prompted and it logs in automatically. Navigating back to the SharePoint application, the page will load including the IFrame content without prompts.

The SharePoint Endpoint is using the WS-Federation Passive Endpoint to https://sharepoint:port/_trust/ with binding POST. The ASP.NET application Endpoint is using SAML Assertion Consumer Endpoints https://aspnetapp/ with binding POST and Artifact. The Claims passed from both contain all required for each application.

Does anyone know how to prevent the second login prompt when using an IFrame in SharePoint?

3
sharepoint-2010wifclaims-based-identityadfs2.0

3 Answers

1
votes

It now works as expected with single sign-on after updating to System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0 from the now built in WIF classes. I'm assuming there was a compatibility issue with the Microsoft.IdentityModel.Web.Saml2AuthenticationModule SAML 2.0 CTP extension that was never finished.

0
votes

Just a shot in the dark but assuming the custom ASP .NET application and SharePoint are on two separate machines, then there may be some subtleties regarding kerberos given that the ASP .NET page is in an IFRAME - it could be that a kerberos ticket needs to be passed between SharePoint to ASP .NET.

HTH.

0
votes

This is only a guess but I believe that this is because both sites, the Sharepoint site and the embedded asp.net site from the iframe, start to load in the same time.

As both are not authenticated, they both go to the Adfs. But because you are not authenticated, the Adfs starts the 401 challenge, asking for the authentication. However your web browser does not present both login prompts in the same time. Rather, you get the first login prompt and when you sucesfully login, from the very moment the Adfs will retain the authentication so that any other site coming for claims will get them for free. But the inner site, the asp.net one, has already started the login process! Your browser does not know this and forces you to continue login.

As a conclusion, my idea would be to have a sharepoint page which requires authentication and which then redirects to ANOTHER page which has the asp.net site in an iframe so that your browser will not try to start the login sequence for both sites at the same time.