How to make ADFS 3.0 pass “whr” parameter to ADFS 2.0 claims provider?

1
votes

I have a next configuration

  1. Some web apps based on Dynamics CRM 2013 and portals based on SharePoint 2010.

  2. Dynamics has claims authentication via ADFS 3.0, SharePoint has via ADFS 2.0

  3. ADFS 3.0 is federated with ADFS 2.0 which is claims provider trust there. So user from ADFS 2.0 can sign in everywhere. Both ADFSs are configured to use WS-Federation, not SAML.

  4. ADFS 2.0 has several claims provider trusts - AD and other 3rd party ADFSs.

  5. ADFS 3.0 is configured to automate home realm discovery on its side, but when user lands to ADFS 2.0 he can see home realm discovery page there.

Goal is to have maximum automated home realm discovery.

Main question: is it possible to configure/modify/hack ADFS 3.0 to include whr parameter with desired claim provider trust when it makes redirect to ADFS 2.0?

I did a debug with fiddler injecting it manually and this approach is working. However searching a web for how-to and no luck.

Currently I see several solution:

  1. Add ?whr="<ClaimsProviderId>" to WS-Federation endpoint like https://<ADFS2.0URL>/adfs/ls?whr="<ClaimsProviderId>" in ADFS 3.0 settings. But not sure would it work.

  2. Modify onload.js to hardcode there redirect with whr parameter on ADFS 3.0 side.

  3. Do a mod for home realm discovery page on ADFS 2.0 side, which would analyze wtrealm parameter from ADFS 3.0 and do selection of desired claims provider.

Do you have any other ideas?

1
sharepointdynamics-crmadfsws-federation

1 Answers

0
votes

It will be hard, if possible, on the ADFS3 server itself.
Have you tried adding it in the RP (CRM and SharePoint)? That should work. Barring some patchlevel solvable issues.

If all users from CRM have to go to the same CP, then your option "3." should work too.