Forum Discussion

Najwan975's avatar
Najwan975
Copper Contributor
May 28, 2022

Sharepoint one drive on premise integrated with ADFS

Hi,

I would like to clarify regarding the one drive deployment on premise. We are planning to have a one drive on premise integrated with ADFS to provide SSO and MFA experience.

To integrated Sharepoint with ADFS we have the follow the below article:

 

https://docs.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/implement-saml-based-authentication-in-sharepoint-server

 

We have configured a webapplication with windows authentication and extended the same web app to use ADFS authentication.

 

We noticed that if we login to the main webapp using a user called Test1

a personal site will be created as follows: http://onedrive.xxx.com/me/test1

 

If  we login to the extended webAPP using the same user and using ADFS authentication a new personal site will be created as follows:

http://onedrive.xxx.com/me/Test11 

 

is it normal behavior because i expecting to access the same content with the same user regardless of the authentcation method.

 

When checking the UPS service i can see two profiles for the same user as follows :

 

i:05.t|xxx.com|test@xxx.com

xxx\test

 

Please i need to understand this point to see if this is normal or we missing something.

 

 

  • mr_w1nst0n's avatar
    mr_w1nst0n
    Iron Contributor

    Najwan975 this is the expected behavior.

     

    When you use different authentication method (NTLM and ADFS) SharePoint treats the accounts as unique even if behind is the same person and therefore it duplicates the entry as you have well spotted by yourself in the UPS service.

    For SharePoint they are 2 completely different users

     

    It is good practice to provide only 1 authentication method for the end-user.

    I used to keep NTLM active only for SP service accounts and the extended ADFS url to end-users.

     

    If you keep the end-users access both you will quickly ending up with permission issues everywhere

     

    • najwan's avatar
      najwan
      Copper Contributor
      Thanks for your reply.

      You are right this what we found so far and this will present another challenge since the one drive app cannot work with ADFS authentication and if we want to allow it on the network with NTLM people accessing this application will not have access to their content.

      Unless we have to go edit the new profile created and grant the personal site secondary owner with windows authentication.
      But this will take too much work on the back end especially if we have large number of users.
      • mr_w1nst0n's avatar
        mr_w1nst0n
        Iron Contributor

        najwan 

        Just to clarify one point.

         

        OneDrive app does not support SSO/ADFS authentication 

         

        OneDrive For Business app (the one you can download directly when accessing SharePoint On-Premise) should support SSO/ADFS (unless something changed).

         

        Which version of OneDrive app are you using in the environment ?

Resources