Multiple Trusted Identity Token Issuers

Regular Visitor

I have a SharePoint 2013 farm and added two Trusted Identity Token Issuers with the cmldet New-SPTrustedIdentityTokenIssuer. They have different URLs.

I have two Web Applications in the farm. For their Internet zone, I have configured a Trusted Identity Token Issuer as the authentication provider. Specifically, my configuration looks as follows:

  • Web Application 1, Intenet Zone Authentication Provider: Trusted Identity Token Issuer named "ADFS-TEST"
  • Web Application 2, Intenet Zone Authentication Provider: Trusted Identity Token Issuer named "ADFS-PROD"

When I browse the Web Application on a client machine by their Internet zone Url, I expect the following result (I am not yet authenticated):

  • Web Application 1 redirects me to the login Url of Trusted Identity Token Issuer named "ADFS-TEST"
  • Web Application 2 redirects me to the login Url of Trusted Identity Token Issuer named "ADFS-PROD"

However, the result is different than my expectation. I could reproduce the same behaviour on another farm with the same SharePoint version and build/CU. The result I get is as follows:

Both Web Applications redirect me to the Url of the Trusted Identity Token Issuer named "ADFS-PROD".

 

After checking the configuration, I came up with the assumption, that SharePoint determines the Url to redirect the user by getting all Trusted Identity Token Issuers of the farm, sorting them by their name and picking the first. I was able to confirm my assumption by:

  1. Remove Trusted Identity Token Issuers from the farm.
  2. Add Trusted Identity Token Issuers again but with the names "ADFS-TEST" and "ADFS-ZPRD".

The expectation with my assumption was: I should now be redirected to the Url of the Trusted Identity Token Issuers named "ADFS-TEST" since it comes first when sorting them alphabetically. When testing, the result was exactly as expected.

I don't say SharePoint determines the Url of the Trusted Identity Token Issuers as mentioned, but it does not pick the Url of the Trusted Identity Token Issuers which is set for the Internet zone of the respective Web Application. However, I think the latter should be the case.

 

Is this a bug? Am I missing out something? Any suggestions what I can try to get this working as expected? I didn't find a Docs article or the like saying that this is an unsupported scenario.

 

Many thanks for your inputs in advance.

0 Replies