Consider the situation where you have a SharePoint 2010 site secured by AD FS 2.0 and you have a partner that accesses this application that also uses AD FS 2.0. Partner <----> Your <-----> SharePoint AD FS AD FS 2010 The SharePoint sites are configured to use both Windows Authentication and Claims. In a typical scenario, the user in the partner network would do the following:
This has the user promtped 2-3 times in order to log into SharePoint. A better experience would be to have the user click a link and be automatically logged into SharePoint.
*Being prompted for credentials depends on if the site is determined to be a part of the Internet, Local Intranet, Trusted Sites, or Restricted Sites and the user authentication method selected for that zone. See the article in the links section for more details.
One way to automate the logon is to use query string parameters to identify where the user is coming from and where the user is going. Take the same scenario as above. Partner <----> Your <-----> SharePoint AD FS AD FS 2010
Using the WHR, WTREALM & WCTS query string parameters, we can accomplish a automatic single signon.
https://adfs.contoso.com/adfs/ls/?wa=wsignin1.0&whr=http://adfs.adatum.com/adfs/services/trust& wtrealm=https://sp.contoso.com/&wctx=https://sp.contoso.com/_layouts/Authenticate.aspx
With the targeted URL, this would be the new flow of traffic.
WS-Federation: Passive Requestor Profile http://msdn.microsoft.com/en-us/library/bb608217.aspx wsignin1.0 Request Message http://msdn.microsoft.com/en-us/library/cc236491(v=PROT.13).aspx How to use security zones in Internet Explorer http://support.microsoft.com/kb/174360