Developing Low Trust Provider Hosted Apps with SAML Authentication in SharePoint 2013

Low trust provider hosted apps in a SAML secured SharePoint web application is a scenario that did not work when SharePoint 2013 was released.  Things have changed fortunately, so here's a quick run down on what you need to do in order to build these apps on premises.  The first thing you need to do is to apply the April 2014 CU or later.

Once you’ve applied that you’ll need to decide how you want to configure authentication on your provider hosted apps.  Generally you’ll find the best approach is to use a single host for your provider hosted apps, install each app into its own subdirectory, and use an authentication mechanism that is the same as you use for your SharePoint web applications.  There may be cases where you might not want to do that; for example, if your SharePoint web applications use multi-factor authentication, you may not want your users to have to enter their credentials again – twice – when they use an app that is part of a SharePoint site to which they’ve already authenticated.  As explained in the beginning, that’s okay – you can use a different authentication mechanism if needed for your low trust provider hosted app because the user identity is maintained by SharePoint even after the user authenticates to the app.

When the provider hosted environment is configured, the next thing you need to do is create a ServicePrincipal with your Office 365 tenant.  The Office 365 tenant uses a special version of Access Control Services (ACS) that is responsible for providing the tokens (context, refresh and access) that low trust SharePoint apps use to authenticate and authorize with SharePoint.  The process overall is described in greater detail in this blog post:  More importantly, MSDN has published instructions and a script you can use to create the ServicePrincipal and configure it to allow the ServicePrincipal to issue tokens to a SharePoint web application.  You can find the MSDN article here:  When you create your ServicePrincipal, you need to add the hostname of every SharePoint web application in which you want to use apps to a collection of SPNs on the ServicePrincipal, i.e. ServicePrincipal.ServicePrincipalNames.  In the MSDN article it includes a script at the bottom that will enumerate all of the web applications in your farm and add the hostname of each one to the ServicePrincipalNames collection.  However, if you add a new web application in the future, you also need to remember to go and add the hostname of the new web application to the ServicePrincipalNames collection.  If you don’t do that, then apps that are installed in that web application will not be able to get a valid token.

Another option that can be used so you don’t have to revisit your ServicePrincipalNames collection is to add a wildcard.  If all of your SharePoint web applications use a common domain for the host name then you can just add a wildcard for the domain.  For example, if you have two web applications – and – then you can just add a "*" wildcard to the ServicePrincipalNames collection.  Here’s a PowerShell example of how to do that:


#you will be prompted to enter the credentials of an o365 Global Admin here



$p = Get-MsolServicePrincipal -AppPrincipalId $spoid

$spns = $p.ServicePrincipalNames


Set-MsolServicePrincipal –AppPrincipalId $spoid –ServicePrincipalNames $spns


After you’ve completed creating and configuring the ServicePrincipal, you can begin deploying your low trust provider hosted applications on SharePoint web applications that are secured with SAML authentication.

Comments (3)
  1. Weikko says:

    Hi Steve, thanks for a great blog, really appreciate the articles!

    We are planning to use SharePoint Provider Hosted Apps and to secure our SharePoint web application with SAML authentication using ADFS.

    We will have a subsystem that trusts tokens from the same ADFS. We are going to make calls to the subsystem from our SharePoint Provider Hosted Apps. However I have found that the identity management in the low trust apps are focused on ACS and the OAuth flow
    for accessing SharePoint. We would need to call the sub system from the Provider Hosted Apps with a Federated identity provided by our ADFS.

    Is it possible to manage identity from ADFS in a Low Trust Provider Hosted App?



  2. Anonymous says:

    Como cada primero de mes, os dejo una nueva edición del recopilatorio de recursos y enlaces interesantes

  3. m88 says:

    m88 : offer online sports games Asia, Sports Betting Asia, Sports Betting Sites Asia.

    m88asia :
    Link to M88BET phone: – Register and Open Betting Account and Membership M88BET.

    m88bet :
    MANSION88 the house is one of the largest and most prestigious. Appeared quite early in the Asian market, the so-MANSION88 currently attracts more players.

    link m88 :
    Home the M88 is the official sponsor of the football club in the Premier League
    Wish you happy with the new M88
    m88 casino online :

Comments are closed.

Skip to main content