Using SAML Claims in SharePoint 2010 with Host Header Sites


Someone one posed an interesting question to me the other day, around whether or not you could use SAML claims with host header sites in SharePoint 2010.  My initial thought was yes but I wanted to dig into it a little bit more to investigate.  The short answer to all this is yes, but it's not quite as pain free as I was hoping for.  For my little sample I created a web application at https://hh.vbtoys.com and two host header sites:  https://ash.vbtoys.com and https://josh.vbtoys.com.  While this doesn't fit entirely in the classic model of host header sites (meaning vanity Urls), remember that one of the restrictions with SAML claims and SharePoint is that sites must use SSL.  So rather than having to mess with creating an SSL certificate with Subject Alternate Names (SAN), I decided to simplify life slightly so I could use a wildcard certificate.  It's enough to prove out whether it works and what configuration is needed, but it is hopefully also a good reminder of something to think about if you want to use host header sites and SAML authentication.

So I did a simple test first just to try out the utopia scenario where I could make just one configuration change and have all host header sites just work.  In that case, I did two things:

  1. Created a new relying party in ADFS that used https://hh.vbtoys.com/_trust/ as the WS Fed endpoint and a URN of urn:sharepoint:hh.
  2. Add a provider realm to my existing SPTrustedIdentityTokenIssuer like this:

$ap = Get-SPTrustedIdentityTokenIssuer -identity "ADFS IdP"
$uri = new-object System.Uri("https://hh.vbtoys.com")
$ap.ProviderRealms.Add($uri, "urn:sharepoint:hh")
$ap.Update()

So I tried hitting https://hh.vbtoys.com first and all was good – I got into the site no problem.  Next, in the real test of the utopian scenario I hit https://ash.vbtoys.com.  Unfortunately, it was not utopian.  I ended up getting redirected to an entirely different SPTrustedIdentityTokenIssuer, so my guess is that SharePoint did a look up in it's list of Provider Realms and could find nothing for https://ash.vbtoys.com so it just grabbed the first SPTrustedIdentityTokenIssuer in my list.

All was not lost however…as you can probably imagine at this point, I was able to make both of my host header sites work, but I had to create:

  1. A new relying party in ADFS for each host header site collection
  2. A new provider realm for each host header site collection, and add it to my SPTrustedIdentityTokenIssuer.  I used the same exact PowerShell I showed above, I just modifed the Url and Urn for each one.  For example, here's how I added support for https://ash.vbtoys.com:

$ap = Get-SPTrustedIdentityTokenIssuer -identity "ADFS IdP"
$uri = new-object System.Uri("https://ash.vbtoys.com")
$ap.ProviderRealms.Add($uri, "urn:sharepoint:ash")
$ap.Update()

The net of this is by adding a new relying party, and a new provider realm (Uri and Urn), for each host header site collection, I was able to log into each site using SAML authentication.

Comments (3)

  1. alexandrad9x says:

    Tao http://dichvuketoanlongbien.com/
    Rủa
    http://dichvuketoanlongbien.com/a2-96-dich-vu-ke-toan-tron-goi.html
    Thằng http://dichvuketoanlongbien.com/a2-98-dich-vu-ke-toan-thue.html
    Cờ
    http://dichvuketoanlongbien.com/a2-103-dich-vu-bao-cao-tai-chinh.html
    http://dichvuketoanlongbien.com/a2-97-dich-vu-quyet-toan-thue.html
    Nào
    http://dichvuketoanlongbien.com/a2-114-dich-vu-ke-toan-tai-29-quan-huyen.html
    Soi
    http://dichvuketoanlongbien.com/i780-dich-vu-ke-toan-thue-tron-goi-tai-bac-ninh.html
    Tài
    http://dichvuketoanlongbien.com/i779-dich-vu-ke-toan-thue-tron-goi-tai-bac-giang.html
    Khoản
    http://dichvuketoanlongbien.com/i778-dich-vu-ke-toan-thue-tron-goi-tai-phu-tho.html

    http://dichvuketoanlongbien.com/i781-dich-vu-ke-toan-thue-tron-goi-tai-hung-yen.html
    Link
    http://dichvuketoanlongbien.com/i782-dich-vu-ke-toan-thue-tron-goi-tai-vinh-phuc.html
    Của
    http://dichvuketoanlongbien.com/i783-dich-vu-ke-toan-thue-tron-goi-tai-hai-phong.html
    Tao. http://www.trungtamketoan.com.vn/
    Chúng
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-ha-noi.html
    Mày
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-tp-hcm.html
    Đủ
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-quang-ninh.html
    Trình
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hai-duong.html
    Thì
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-bac-giang.html
    Tự
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-bac-ninh.html
    Đi
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hai-phong.html

    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-nam-dinh.html
    Làm.
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-thai-binh.html
    Việc
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-thanh-hoa.html

    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-vinh-phuc.html
    Phải
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hung-yen.html
    Rẻ
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-phu-tho.html
    Rách
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-binh-duong.html
    Như http://www.tosvn.com
    Thế. http://iketoan247.blogspot.com
    Loại http://tailieuveketoan.blogspot.com
    Chó http://mauhinhnendep.blogspot.com
    Má. http://www.tosvn.com/search/label/Hack%20CF
    Tao http://www.tosvn.com/search/label/Hack%20AvatarStar
    Rủa http://www.tosvn.com/search/label/Hack%20Warcraft-Dota2
    Những http://hocketoan360.com/category/tai-lieu-ke-toan/
    Thằng http://iketoan247.blogspot.com/search/label/thong-tin-kinh-te
    Soi http://iketoan247.blogspot.com/search/label/tin-bai-ve-thue
    Tao http://hoclamketoan.edu.vn/
    Sẽ http://hoclamketoan.edu.vn/category/khoa-hoc-ke-toan
    Tan http://hoclamketoan.edu.vn/category/dich-vu-ke-toan
    Cửa http://hoclamketoan.edu.vn/category/hoc-lam-ke-toan
    Nát http://hoclamketoan.edu.vn/category/tai-lieu-ke-toan
    Nhà http://hocketoan360.com/
    Haha http://hocketoan360.com/category/khoa-hoc-ke-toan/
    http://hocketoan360.com/category/dich-vu-ke-toan/

  2. Luis Azedo says:

    Hi Steve,

    this sentence is only true if you are using ADFS (i think) "…remember that one of the restrictions with SAML claims and SharePoint is that sites must use SSL". the restriction comes from ADFS not from sharepoint. if we use a custom implementation instead of ADFS, we can pass ssl requeriments and get results for real different domains (www.xpta.com , http://www.xptb.com )

    regards

  3. m88 says:

    m88 : http://m88en.com
    M88.com offer online sports games Asia, Sports Betting Asia, Sports Betting Sites Asia.

    m88asia : http://m88en.net
    Link to M88BET phone: m88en.com. – Register and Open Betting Account and Membership M88BET.

    m88bet : http://www.linkm88vip.com
    MANSION88 the house is one of the largest and most prestigious. Appeared quite early in the Asian market, the so-MANSION88 currently attracts more players.

    link m88 : http://m88wiki.com
    Home the M88 is the official sponsor of the football club in the Premier League
    Wish you happy with the new M88
    m88 casino online : http://m88free.com

    Modern Thai restaurant combines outstanding traditional cuisine and a subtle modern decor with a warm welcoming ambience. Thai Restaurants in Brisbane :
    http://www.watersidethainoodles.com.au , traveller reviews of Brisbane Thai restaurants and search by price, location, and more.