Single Sign On between two web applications?
https://sharepoint.stackexchange.com//questions/67891
-
10-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
In my SharePoint 2013 Server farm I have two web applications:
- Simple intranet portal (
http://portal) - My Sites (
http://portal:8080)
Problem is that users have to authenticate to each application. For example they are exploring the 1. application and when they goes to 2. (clicks on the other users name and are redirected to My Sites) they have to authenticate again.
I want that the login screen would be promted once. How can I solve this double authentication problem?
Solution
If you are just using the default Windows authentication this should not be a problem at all - even with claims based authentication. Make sure the SharePoint URLs are in the "Intranet Zone" of the browser and your users should be logged on automatically - even without Kerberos. For this basic scenario you don't need ADFS or any other identity provider.
OTHER TIPS
OR...you could NOT use PORT numbers for your MySite web application and either create a unique URL like http://mysite or http://my (or whatever works for your organization and culture). Then set trusted sites.
OR, If the users are non-domain users (the new domain will trip an auth prompt when you switch hosts) you could create the MySite host under a managed path under the host you already created. Create a Managed Path like http://portal/my and then set up a Wildcard Managed Path for http://portal/my/personal for all of the personal sites.
With this configuration you will only be prompted once.
(I hate seeing port numbers in "public" SharePoint URLs...)
You need to configure ADFS with SharePoint. Essentially its a type of Claims Authentication with a conceptual walkthrough mentioned here
This is an excerpt from MSDN that explicitly mentions the flow of a single user from one web app to another in SharePoint
Visiting Two SharePoint Web Applications In this walkthrough, John visits the a-Portal SharePoint web application and then visits the a-Techs SharePoint web application.
John visits the a-Portal SharePoint web application.
- John browses to the Team site in the a-Portal SharePoint web application.
- John has not yet been authenticated, so SharePoint redirects his browser to ADFS.
- John enters his Adatum domain credentials;
- ADFS validates the credentials, issues a SAML token that contains his claims, and redirects the browser to the SharePoint STS (the "/_trust/" endpoint in the SharePoint web application).
- ADFS also creates an SSO cookie so that it can recognize if it has already authenticated John.
- The SharePoint STS validates the token from ADFS and issues a FedAuth cookie for the a-Portal SharePoint web application that contains a reference to John's claims in the SharePoint token cache.
- SharePoint checks that John has access to the Team site collection, and redirects his browser to the site.
John visits the a-Techs SharePoint web application.
- John browses to the Team site in the a-Techs SharePoint web application.
- John has not yet been authenticated for this SharePoint web application so SharePoint redirects his browser to ADFS.
- ADFS detects the SSO cookie that it issued in step 1-c, and redirects the browser with a new SAML token to the SharePoint STS.
- The SharePoint STS validates the token from ADFS and issues a FedAuth cookie for the a-Techs SharePoint web application that contains a reference to John's claims in the SharePoint token cache.
- SharePoint checks that John has sufficient permissions to access to the Team site collection, and redirects his browser to the site.
http://msdn.microsoft.com/en-us/library/hh446525.aspx
This gives you a pretty good overview of what you need to do. In a nutshell:
1) Set up SharePoint on Claims Authentication, each web application authenticating to Active Directory (or a custom provider if you'd rather)
2) Configure the Security Token Service so everyone is on the same page
Not easy to do, but should be workable. Try in a development environment first please as a failure can be pretty fragile to authentication.
Use ADFS authentication this should solve your problem. Let me know if you need additional information
