SAML Support for SharePoint-Hosted Apps with ADFS 3.0

This is another case where I'm just passing information along here, based on the great work of others. As you probably know, we did not have a good story for SharePoint-hosted apps in web application that uses SAML authentication with ADFS 2.0. However, I have had reports from a couple of different teams now that they ARE working with ADFS 3.0. The main differences that are needed to make this work include:

  • In ADFS you need to define a wildcard WS-Fed endpoint. For example, normally for a SharePoint web application, in ADFS you create a relying party and set the WS-Fed endpoint to be something like https://www.foo.com/_trust/. To do the same thing with apps, you take your apps namespace - assume it's "contosoapps.com" - and add a WS-Fed endpoint like this: https://*.contosoapps.com/_trust/.
  • Configure the SharePoint STS to send the wreply parameter. You can do that with PowerShell that looks like this:

$sts = Get-SPTrustedIdentityTokenIssuer
$sts.UseWReplyParameter = $true
$sts.Update() 

One other thing to note - the behavior to use the wreply parameter is supposed to be turned on by default in an upcoming CU. I heard it was the April 2014 CU actually but have not had a chance to see if that is really in there or not. It won't hurt to run the PowerShell above though.

This is good news, thanks for those of you that shared your experiences!