Monday, July 31, 2006
Note to urn:federation:self

One of the tricks you can do with the Active Directory Federation Services (ADFS) home realm discovery process is get a user to skip the home realm discovery page completely if you embed a query string in the application URL that tells ADFS what realm to use.  The query string is:

whr=xxxxxx

where xxxxxx is the federation URI of the partner (which they tell you when you set up your federation, or you create when you are setting up your test lab).  That typically looks like:

urn:federation:myorganization

Thus, the whole url might look like:

http://www.joekaplan.net/?whr=urn:federation.myorganization

(no, this site is not federation-enabled and won't be any time soon...)

Using these home realm query strings is very handy, not only for getting your own organization's users to the target app quicker by allowing them to skip a page that may potentially have many choices, but also just for testing.  The query string overrides the persistent cookie you may have that identifies your home realm, so you can use this to avoid having to delete your cookies all the time.

However, if you want to refer to the resource partner's account store with this trick, you don't use the resource partner's federation URI.  Instead, you use the "built-in" URI:

urn:federation:self

I'm sure this is probably documented somewhere (or maybe not; the ADFS docs have a ways to go...), but I had to figure it out the hard way and I thought I'd share.

Monday, July 31, 2006 4:57:52 PM (Central Daylight Time, UTC-05:00)  #    Comments [3]  |  Tracked by:
"Keep Your Cookies Straight When Using ADFS" (Joe Kaplan) [Trackback]
Monday, July 31, 2006 9:28:46 PM (Central Daylight Time, UTC-05:00)
Yep, it's documented. I just picked up that trick by reading the docs - I included it in an article I submitted last week for MSDN Mag, a dev's intro to ADFS.

Glad to see you're getting into this space - ADFS has been a topic of particular interest to me this year.
Keith Brown | keithAT NOSPAMpluralsight dot com
Monday, July 31, 2006 10:46:50 PM (Central Daylight Time, UTC-05:00)
Cool, looking forward to reading what you had to say. I was thinking of proposing something as well, but I'll wait to see what's left.

I've already run into a few interesting things here at work such as integrating the LS with RSA ClearTrust to get SecurID login that I'll probably blog about soon. SecurID integration (although not necessarily with ClearTrust) came up a few times at TechEd. I think I know another way to do it with the ACE client too.

I'm also about to dive into some LS pages customization and a custom claims module, so I'll probably document that stuff too. Digging ADFS though--it is like a playground of all my favorite stuff (ASP.NET, directories, security, crypto, etc.).
Joe | blogAT NOSPAMjoekaplan dot net
Friday, August 04, 2006 6:38:49 AM (Central Daylight Time, UTC-05:00)
Nice to see You blogging.

Nice tip with this attribute, I'v missed it in the docs if it is there (and Keith is saying that it is).

ADFS is nice piece of technology and I'm trying to push it a little on my "backyard". Nice to have another source of information.
Tomasz Onyszko | t dot onyszkoAT NOSPAMw2k dot pl
Name
E-mail
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):

Theme design by Jelle Druyts