ADFS Single-Sign-On for SharePoint 2013 on-premises, Power BI and custom web app?

Question

Scenario

There is one user store, namely an on-premises AD. ADFS provides authentication for SharePoint 2013 and Power BI.

The custom web app needs to authenticate users from AD. The web app back-end also requires access to the SharePoint REST API.

The objective is to achieve the above using a single sign-on. If signed in to any one of the three applications, the user should not have to input credentials for any of the other two. As well, the custom web app displays content from SharePoint (iFrame and REST API) and Power BI (iFrame).

We have tried the following two solutions but have come across an issue in either case.

Solution 1

• User input credentials in the web app.
• The web app back-end uses these credentials to get a SAML token from ADFS.
• The web app back-end uses the SAML token to authenticate the user with SharePoint through forms-based authentication and retrieves a FedAuth cookie.
• The web app back-end uses the FedAuth cookie to make REST API requests to SharePoint
• The web app front-end uses the SAML token to authenticate the user with SharePoint through forms-based authentication. This allows SharePoint content in iFrames.

What doesn't work: Navigating to Power BI or including it in an iFrame will redirect the user to the ADFS sign in page. This is because the user has not been authenticated with ADFS in the browser yet.

 

Solution 2

• ADFS SSO is used for the custom web app as well.
• Navigating to any of the three applications redirects the user to the ADFS sign-in page
• The user inputs their credentials and gets redirected back to the application with a SAML token.
• Navigating to any of the other two applications will redirect the user to ADFS, which will redirect back to the application with another SAML token without requiring the user to sign in again.
• This allows for both SharePoint and Power BI content to be included in the web app in iFrames.

What doesn't work: The web app can't make REST API request to SharePoint using the SAML token received from ADFS for the web app. We have tried to use that SAML token to request another one from ADFS for SharePoint on behalf of the user signed in. That did not work either. As well, SharePoint 2013 on-premises may not accept an on behalf of request.

Question

Is there a way to have SSO for all three applications while also having REST API access to SharePoint from the web app? The user should have to sign in only once, and preferably only into the web app 

Answer 1

The best way to achieve what you are looking for is to register a web application through the Azure Active Directory and then grant permissions to users by application, tenant, or policies. Steps:

• Go to Azure dashboard

• Click on Azure active directory

• Click on App registrations

• Create a new web application, and the application ID which gets generated is the service principal ID

• Go to Certificates and secrets, create a new client secret, and then a password is generated which is the service principal key

• Go to Azure Data Lake Store and give all access to the application which is created for generating the service principal key

   

For more clarification on how to create an Azure Active Directory tenant to use with Power BI, refer to this documentation: https://docs.microsoft.com/en-us/power-bi/developer/create-an-azure-active-directory-tenant

For more clarification on Embed Power BI content into an application for your customers, refer to this documentation:

https://docs.microsoft.com/en-us/power-bi/developer/embed-sample-for-customers

Also, enroll in Power BI course to become proficient in this BI tool and clear Power BI Microsoft certification exam.