You are currently reviewing an older revision of this page.
Go to current version


Consider the situation where you have a SharePoint 2010 site secured by AD FS 2.0 and you have a partner that accesses this application that also uses AD FS 2.0.

Partner <----> Your <-----> SharePoint
 AD FS               AD FS                  2010

The SharePoint sites are configured to use both Windows Authentication and Claims.  In a typical scenario, the user in the partner network would do the following:

  • Browse to the SharePoint 2010 site
  • Be prompted to choose an authentication method (Windows Authentication or Claims)
    • Chooses Claims
  • Be prompted for the home realm
    • Chooses their AD FS server
  • Possibly be prompted for Domain Credentials
  • Be redirected and logged in to SharePoint

This has the user promtped 2-3 times in order to log into SharePoint.  A better experience would be to have the user click a link and be automatically logged into SharePoint.

Automatic Logon

One way to automate the logon is to use query string parameters to identify where the user is coming from and where the user is going.  Take the same scenario as above.

Partner <----> Your <-----> SharePoint
 AD FS               AD FS                   2010

Your AD FS:    adfs.contoso.com
SharePoint:    sp.contoso.com 
Partner AD FS:    adfs.adatum.com

Using the WHR, WTREALM & WCTS query string parameters, we can accomplish a automatic single signon.

Sample URL


Broken Down

Your AD FS endpoint:   https://adfs.contoso.com/adfs/ls/ 
Action (sign in):   ?wa=wsignin1.0
Which Home Realm:   &whr=http://adfs.adatum.com/adfs/services/trust
Identifier for Relying Party:   &wtrealm=https://sp.contoso.com/
URL to go to:   &wctx=https://sp.contoso.com/_layouts/Authenticate.aspx

With the targeted URL, this would be the new flow of traffic.

  • Browse to the customized URL
  • Be redirected to their AD FS server (since WHR is specified)
  • Possibly be prompted for Domain Credentials*
  • Be redirected and logged in to SharePoint (since WTREALM & WCTX are specified)

*Being prompted for credentials depends on if the site is determined to be a part of the Internet, Local Intranet, Trusted Sites, or Restricted Sites and the user authentication method selected for that zone.  See the article below for more details.

How to use security zones in Internet Explorer


WS-Federation: Passive Requestor Profile

wsignin1.0 Request Message

How to use security zones in Internet Explorer

Revert to this revision