Scenario
There is one user store, namely an on-premises AD. ADFS provides authentication for SharePoint 2013 and Power BI.
The custom web app needs to authenticate users from AD. The web app back-end also requires access to the SharePoint REST API.
The objective is to achieve the above using a single sign-on. If signed in to any one of the three applications, the user should not have to input credentials for any of the other two. As well, the custom web app displays content from SharePoint (iFrame and REST API) and Power BI (iFrame).
We have tried the following two solutions but have come across an issue in either case.
Solution 1
- User input credentials in the web app.
- The web app back-end uses these credentials to get a SAML token from ADFS.
- The web app back-end uses the SAML token to authenticate the user with SharePoint through forms-based authentication and retrieves a FedAuth cookie.
- The web app back-end uses the FedAuth cookie to make REST API requests to SharePoint
- The web app front-end uses the SAML token to authenticate the user with SharePoint through forms-based authentication. This allows SharePoint content in iFrames.
What doesn't work: Navigating to Power BI or including it in an iFrame will redirect the user to the ADFS sign in page. This is because the user has not been authenticated with ADFS in the browser yet.
Solution 2
- ADFS SSO is used for the custom web app as well.
- Navigating to any of the three applications redirects the user to the ADFS sign-in page
- The user inputs their credentials and gets redirected back to the application with a SAML token.
- Navigating to any of the other two applications will redirect the user to ADFS, which will redirect back to the application with another SAML token without requiring the user to sign in again.
- This allows for both SharePoint and Power BI content to be included in the web app in iFrames.
What doesn't work: The web app can't make REST API request to SharePoint using the SAML token received from ADFS for the web app. We have tried to use that SAML token to request another one from ADFS for SharePoint on behalf of the user signed in. That did not work either. As well, SharePoint 2013 on-premises may not accept an on behalf of request.
Question
Is there a way to have SSO for all three applications while also having REST API access to SharePoint from the web app? The user should have to sign in only once, and preferably only into the web app