SOLVED
Home

ADAL ADFS + SharePoint

%3CLINGO-SUB%20id%3D%22lingo-sub-104212%22%20slang%3D%22en-US%22%3EADAL%20ADFS%20%2B%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104212%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20following%20task%3A%20Connect%20to%20a%20SharePoint%202016%20Site%20which%20is%20Secured%20by%20ADFS%20using%20an%20Angular%20Client.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20parties%20I%20have%20are%3A%26nbsp%3B%3C%2FP%3E%3CP%3E*%20Angular%20JS%20Client%20Application%20using%20ADAL%3C%2FP%3E%3CP%3E*%20WCF%20Middleware%20also%20using%20AuthenticationContext%3C%2FP%3E%3CP%3E*%20ADFS%20on%20Server%202016%3C%2FP%3E%3CP%3E*%20SharePoint%202016%20Server%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20flow%20of%20my%20setup%20is%20as%20follows%3A%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20663px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F19766iB1E37F53E8D78C11%2Fimage-dimensions%2F663x326%3Fv%3D1.0%22%20width%3D%22663%22%20height%3D%22326%22%20alt%3D%22adfsflow.png%22%20title%3D%22adfsflow.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20The%20user%20opens%20a%20site.%20He%20gets%20redirected%20to%20ADFS%20and%20enters%20his%20credentials%3C%2FP%3E%3CP%3E2)%20I%20get%20a%20token%20back%20from%20ADFS%20which%20looks%20good.%20Audience%20is%20a%20Native%20App%20which%20I%20configured%20on%20ADFS.%20I%20also%20have%20no%20errors%20in%20the%20Event%20log%20on%20the%20ADSF%20Server%3C%2FP%3E%3CP%3E3)%20The%20Angular%20App%20Calls%20my%20WCF%20API%20and%20sends%20the%20token%3C%2FP%3E%3CP%3E4)%20The%20WCF%20creates%20a%20User%20Assertion%20Object%20and%20trys%20to%20obtain%20a%20token%20to%20access%20SharePoint%20using%20Clientcontext%3C%2FP%3E%3CP%3E%3CSTRONG%3E-----%20Error%20happens%20here------%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E5)%20I%20should%20get%20back%20another%20token%20valid%20for%20access%20SharePoint%3C%2FP%3E%3CP%3E6)%20I%20use%20clientcontext%20to%20get%20data%20from%20the%20SP%20Site%3C%2FP%3E%3CP%3E7)%20SP%20returns%20the%20infos%3C%2FP%3E%3CP%3E8)The%20WCF%20sends%20the%20data%20to%20the%20client%20which%20displays%20it%20for%20the%20user%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Problem%20is%20that%20after%20step%204%20I%20get%20one%20of%20these%20errors%20that%20says%3A%3C%2FP%3E%3CP%3E*%26nbsp%3BAADSTS50013%3A%20Assertion%20contains%20an%20invalid%20signature.%20%5BReason%20-%20The%20key%20was%20not%20found%3C%2FP%3E%3CP%3E*%26nbsp%3BMSIS9605%3A%20The%20client%20is%20not%20allowed%20to%20access%20the%20requested%20resource%3C%2FP%3E%3CP%3E*%26nbsp%3BMSIS9602%3A%20The%20received%20'resource'%20parameter%20is%20invalid.%20The%20authorization%20server%20can%20not%20find%20a%20registered%20resource%20with%20the%20specified%20identifier%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20ADFS%20Management%20Console%20I%20created%20a%20Application%20Group.%20In%20this%20group%20I%20have%20a%20Server%20Application%20where%20I%20specified%20ClientID%20and%20redirect%20Uri.%20These%20settings%20are%20used%20in%20the%20Angular%20App.%3C%2FP%3E%3CP%3EI%20also%20have%20a%20Web%20API%20Application%20in%20the%20group.%20There%20I%20configured%20my%20IIS%20Site%20and%20SharePoint%20Site%20as%20Relying%20party%20identifiers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20obviously%20don't%20fully%20understand%20the%20connection%20of%20my%20Applications%20to%20the%20SharePoint.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anybody%20help%20me%20out%20here%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThx%26nbsp%3B%3C%2FP%3E%3CP%3EAlex%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-104212%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-137603%22%20slang%3D%22en-US%22%3ERe%3A%20ADAL%20ADFS%20%2B%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-137603%22%20slang%3D%22en-US%22%3E%3CP%3EOk%2C%20so%20just%20for%20closure%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20did%20not%20get%20the%20setup%20running%20like%20I%20wanted%20it%20to.%20I%20still%20do%20not%20know%20if%20the%20flow%20with%20ADFS%20involved%20can%20be%20done%20the%20way%20I%20tried%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20here%20is%20how%20I%20managed%20to%20solve%20my%20problem%20anyway%3A%3C%2FP%3E%0A%3CP%3EClient%3A%3C%2FP%3E%0A%3CP%3EI%20used%20an%20AzureAPP%20du%20get%20an%20Id%20token%20of%20the%20current%20user%2C%20which%20I%20parsed%20to%20get%20the%20AzureAD%20loginname%20of%20that%20user.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EServer%3A%3C%2FP%3E%0A%3CP%3EI%20used%20the%20OfficeDevPnP.Core.AuthenticationManager%20to%20call%20the%26nbsp%3BGetADFSUserNameMixedAuthenticatedContext%20function%20and%20did%20everything%20within%20the%20context%20of%20the%20provided%20(elevated)%20user.%20I%20then%20did%20the%20Security%20Trimming%20myself%2C%20by%20checking%20if%20the%20current%20user%20(see%20client)%20has%20the%20needed%20permissions%20on%20a%20specific%20list%20Item%20for%20example.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20not%20very%20fast%20I%20guess%2C%20as%20I%20have%20to%20loop%20through%20all%20List%20Items%20I%20get%20(because%20I%20am%20running%20the%20code%20as%20Admin)%20and%20then%20check%20each%20one%20for%20the%20permissions%20and%20sort%26nbsp%3Bit%20out%2C%20if%20the%20user%20should%20not%20be%20allowed%20to%20see%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20am%20not%20really%20happy%20with%20the%20solution%20I%20finally%20came%20up%20with%2C%20but%20that%20was%20the%20solution%20I%20was%20able%20to%20implement%20after%20many%20days%20of%20research%2C%20anger%2C%20tears%2C%20questioning%20life...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20in%20case%20somebody%20else%20has%20the%20same%20problem%3A%20If%20you%20find%20a%20proper%20solution%2C%20please%20contact%20me.%20If%20not%2C%20feel%20free%20to%20use%20the%20same%20workaround%20as%20I%20did.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eregards%3C%2FP%3E%0A%3CP%3EAlex%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Alexander Adelmann
Occasional Contributor

Hi everyone,

 

I have the following task: Connect to a SharePoint 2016 Site which is Secured by ADFS using an Angular Client.

 

The parties I have are: 

* Angular JS Client Application using ADAL

* WCF Middleware also using AuthenticationContext

* ADFS on Server 2016

* SharePoint 2016 Server

 

The flow of my setup is as follows:adfsflow.png

 

 

1) The user opens a site. He gets redirected to ADFS and enters his credentials

2) I get a token back from ADFS which looks good. Audience is a Native App which I configured on ADFS. I also have no errors in the Event log on the ADSF Server

3) The Angular App Calls my WCF API and sends the token

4) The WCF creates a User Assertion Object and trys to obtain a token to access SharePoint using Clientcontext

----- Error happens here------

5) I should get back another token valid for access SharePoint

6) I use clientcontext to get data from the SP Site

7) SP returns the infos

8) The WCF sends the data to the client which displays it for the user

 

The Problem is that after step 4 I get one of these errors that says:

* AADSTS50013: Assertion contains an invalid signature. [Reason - The key was not found

* MSIS9605: The client is not allowed to access the requested resource

* MSIS9602: The received 'resource' parameter is invalid. The authorization server can not find a registered resource with the specified identifier

 

In the ADFS Management Console I created a Application Group. In this group I have a Server Application where I specified ClientID and redirect Uri. These settings are used in the Angular App.

I also have a Web API Application in the group. There I configured my IIS Site and SharePoint Site as Relying party identifiers.

 

I obviously don't fully understand the connection of my Applications to the SharePoint. 

 

Can anybody help me out here?

 

Thx 

Alex

 

 

 

1 Reply
Solution

Ok, so just for closure:

 

I did not get the setup running like I wanted it to. I still do not know if the flow with ADFS involved can be done the way I tried it.

 

So here is how I managed to solve my problem anyway:

Client:

I used an AzureAPP du get an Id token of the current user, which I parsed to get the AzureAD loginname of that user.

 

Server:

I used the OfficeDevPnP.Core.AuthenticationManager to call the GetADFSUserNameMixedAuthenticatedContext function and did everything within the context of the provided (elevated) user. I then did the Security Trimming myself, by checking if the current user (see client) has the needed permissions on a specific list Item for example. 

 

This is not very fast I guess, as I have to loop through all List Items I get (because I am running the code as Admin) and then check each one for the permissions and sort it out, if the user should not be allowed to see it.

 

I am not really happy with the solution I finally came up with, but that was the solution I was able to implement after many days of research, anger, tears, questioning life...

 

So in case somebody else has the same problem: If you find a proper solution, please contact me. If not, feel free to use the same workaround as I did.

 

regards

Alex

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies