ADFS Single-Sign-On for SharePoint 2013 on-premises, Power BI and custom web app?

Question

Scenario

There is one user store, namely an on-premises AD. ADFS provides authentication for SharePoint 2013 and Power BI.

The custom web app needs to authenticate users from AD. The web app back-end also requires access to the SharePoint REST API.

The objective is to achieve the above using a single sign on. If singed in to any one of the three applications, the user should not have to input credentials for any of the other two. As well, the custom web app displays content from SharePoint (iFrame and REST API) and Power BI (iFrame).

We have tried the following two solutions but have come across an issue in either case.

Solution 1

• User inputs credentials in the web app.
• The web app back-end uses these credentials to get a SAML token from ADFS.
• The web app back-end uses the SAML token to authenticate the user with SharePoint through forms-based authentication and retrieves a FedAuth cookie.
• The web app back-end uses the FedAuth cookie to make REST API requests to SharePoint
• The web app front-end uses the SAML token to authenticate the user with SharePoint through forms-based authentication. This allows SharePoint content in iFrames.

What doesn't work: Navigating to Power BI or including it in an iFrame will redirect the user to the ADFS sign in page. This is because the user has not been authenticated with ADFS in the browser yet.

Solution 2

• ADFS SSO is used for the custom web app as well.
• Navigating to any of the three applications redirects the user to the ADFS sign in page
• The user inputs their credentials and get redirected back to the application with a SAML token.
• Navigating to any of the other two applications will redirect the user to ADFS, which will redirect back to the application with another SAML token without requiring the user to sign in again.
• This allows for both SharePoint and Power BI content to be included in the web app in iFrames.

What doesn't work: The web app can't make REST API request to SharePoint using the SAML token received from ADFS for the web app. We have tried to use that SAML token to request another one from ADFS for SharePoint on behalf of the user signed in. That did not work either. As well, SharePoint 2013 on-premises may not accept an on behalf of request.

Question

Is there a way to have SSO for all three applications while also having REST API access to SharePoint from the web app? The user should have to sign in only once, and preferably only in to the web app.

Answer 1

To provide some background, the SAML token issued by ADFS (or any SAML provider) is specific to the application and will not work when trying to authenticate with other application even though the issuer is the same. When an application is trying to authenticate a user it first sends information that identifies the app. The idp then uses this information to validate the application and then tries to authenticate user either using sign in page or kerberos.

When an application is configured to use SAML provider for authentication, the application redirects you to a login page to enable user to enter user name and password. When a computer is within the corporate network users typically do not see this page because there is a silent kerberos negotiation to get current logged in user. Only when that fails users get to login screen.

In your case solutions you mentioned will not work. You can use OAuth to access the target application.

a) In order to authenticate with power bi in your application you need to use different authentication mechanism. Register your app in power bi or azure portal and then providing required permissions. This link on msdn should guide you through the process.

b) For sharepoint you can need to register your app and provide necessary permissions. Depending on what API you are assessing the permissions required will vary. Please refer to the link here on how to register your application and here for permissions.