In previous blog entries we have discuss adding ADFS and SAML Claims to a SharePoint 2013 environment. Most examples work with a single Host Name Site Collection (HNSC) example and for that example everything works fine. However what if you want to add more than one HNSC? Well then we have a few extra steps that we have to do.
- SharePoint 2013 and ADFS 2.0 Installation Guide
- Lab Environment
- Install Windows Certificate Authority
- ADFS Prerequisites
- How to Install and Configure ADFS 2.0
- Configure User Profile Service for ADFS 2.0
- Configure Search to Crawl Web Applications Using Claims and ADFS 2.0
- Configure People Picker to resolve ADFS Identities
- Adding Host Name Site Collections to Existing Web Application Configured to use ADFS 2.0
- Validate Configuration with “Claims Viewer Web Part”
In my currently lab I have a single Relying Party that I setup for my main site (https://spt.2008r2.local). I can navigate to this site just fine and log in properly with SAML claims.
I also have a HNSC created for my Enterprise Search Center (https://search.2008r2.local). Unfortunately when I navigate to this page I don’t get the expected result.
When trying to navigate to the search center we are redirected back to the main root site. It appears that since SharePoint can’t resolve the attempted site within the Provider Realms previously setup that it just picks up the first one in the list and defaults to it.
Create New Relying Party
While not ideal there is a solution for this problem. We simply need to create a Relying Party within ADFS for each HNSC we want to be able to navigate. To create a Relying Party we follow the same exact steps we followed to create the initial party discussed here. The only difference is that we substitute the url for the new HNSC and create a new realm for it.
Add URL and Realm to TokenIssuer
Once we’ve created the new relying party we just need to add the URL and Realm to the existing SPTrustedIdentityTokenIssuer. On one of your SharePoint servers go ahead and launch the SharePoint Management Shell as an administrator.
Using the “Get-SPTrustedIdentityTokenIssuer” grab your current provider.
$tp = Get-SPTrustedIdentityTokenIssuer –Identity “<Your Provider name here>”
Now add the URL and Realm of the newly created Relying Party to your existing TokenIssuer.
$uri = new-object System.Uri("<your HNSC URL>") $tp.ProviderRealms.Add($uri, "<your Realm for the newly created Relying Party>") $tp.Update()
You should now be able to navigate to the original site still.
As well as the other site that we created the new Relying Party for.