Singolo segno tra due applicazioni Web?

Question

Nel mio server di server SharePoint 2013 ho due applicazioni Web:

.
1. Portale Intranet semplice (http://portal)
2. I miei siti (http://portal:8080)

   Problema è che gli utenti devono autenticare a ciascuna applicazione.Ad esempio, stanno esplorando l'applicazione 1. Applicazione e quando vanno a 2. (clic su Nome degli altri utenti e vengono reindirizzati nei miei siti) Devono essere autenticati di nuovo.

   Voglio che la schermata di accesso sarebbe stata promessa una volta. Come posso risolvere questo doppio problema di autenticazione?

Answer 1

If you are just using the default Windows authentication this should not be a problem at all - even with claims based authentication. Make sure the SharePoint URLs are in the "Intranet Zone" of the browser and your users should be logged on automatically - even without Kerberos. For this basic scenario you don't need ADFS or any other identity provider.

Answer 2

OR...you could NOT use PORT numbers for your MySite web application and either create a unique URL like http://mysite or http://my (or whatever works for your organization and culture). Then set trusted sites.

OR, If the users are non-domain users (the new domain will trip an auth prompt when you switch hosts) you could create the MySite host under a managed path under the host you already created. Create a Managed Path like http://portal/my and then set up a Wildcard Managed Path for http://portal/my/personal for all of the personal sites.

With this configuration you will only be prompted once.

(I hate seeing port numbers in "public" SharePoint URLs...)

Answer 3

You need to configure ADFS with SharePoint. Essentially its a type of Claims Authentication with a conceptual walkthrough mentioned here

This is an excerpt from MSDN that explicitly mentions the flow of a single user from one web app to another in SharePoint

Visiting Two SharePoint Web Applications In this walkthrough, John visits the a-Portal SharePoint web application and then visits the a-Techs SharePoint web application.
John visits the a-Portal SharePoint web application.
- John browses to the Team site in the a-Portal SharePoint web application.
- John has not yet been authenticated, so SharePoint redirects his browser to ADFS.
- John enters his Adatum domain credentials;
- ADFS validates the credentials, issues a SAML token that contains his claims, and redirects the browser to the SharePoint STS (the "/_trust/" endpoint in the SharePoint web application).
- ADFS also creates an SSO cookie so that it can recognize if it has already authenticated John.
- The SharePoint STS validates the token from ADFS and issues a FedAuth cookie for the a-Portal SharePoint web application that contains a reference to John's claims in the SharePoint token cache.
- SharePoint checks that John has access to the Team site collection, and redirects his browser to the site.


John visits the a-Techs SharePoint web application.
- John browses to the Team site in the a-Techs SharePoint web application.
- John has not yet been authenticated for this SharePoint web application so SharePoint redirects his browser to ADFS.
- ADFS detects the SSO cookie that it issued in step 1-c, and redirects the browser with a new SAML token to the SharePoint STS.
- The SharePoint STS validates the token from ADFS and issues a FedAuth cookie for the a-Techs SharePoint web application that contains a reference to John's claims in the SharePoint token cache.
- SharePoint checks that John has sufficient permissions to access to the Team site collection, and redirects his browser to the site.

Answer 4

http://msdn.microsoft.com/en-us/library/hh446525.aspx

This gives you a pretty good overview of what you need to do. In a nutshell:

1) Set up SharePoint on Claims Authentication, each web application authenticating to Active Directory (or a custom provider if you'd rather)

2) Configure the Security Token Service so everyone is on the same page

Not easy to do, but should be workable. Try in a development environment first please as a failure can be pretty fragile to authentication.

Answer 5

Use ADFS authentication this should solve your problem. Let me know if you need additional information