How to craft a ProxyRule for the R12.52 SP1 Agent for SharePoint to prevent the Microsoft SharePoint Prompt to select a Trusted Identity Provider.

Document ID : KB000010782
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Using Rules within the ProxyRules.xml configuration file with the R12.52 SP1 Agent for SharePoint 2013 can prevent the Users from being prompted to select a Trusted Identity Provider (TIP) by SharePoint when the SharePoint Application is configured with multiple Trusted Identity Providers.

Background:

When configuring a SharePoint Connection from SSO to SharePoint via the SharePoint Connection Wizard, the "UserIdentifier" defined for the connection defines the "UPN" for the Legacy Resource Partnership created by the Wizard. All User Directories that are configured within the SharePoint Connection must contain the "UPN" attribute defined for the Resource Partnership. If a Directory does not contain the attribute defined for the Resource Partnership's "UPN", the Assertion Generator will fail to generate the Assertion and the request will fail.

If you have a "second" (or third, etc, etc,...) User Directory configured in the Single Sign On Domain for SharePoint that does not contain the "UPN" attribute defined for the Resource Partnership and the attribute cannot be added to the "second" (or third, etc, etc,...) User Directory, a new SharePoint Connection must be created with the "UserIdentifier" defined with an appropriate attribute for the "second" (or third, etc, etc,...) User Directory. The "new" Trusted Identity Provider is then added to the Application in the SharePoint Central Administrative Console. Now Single Sign On can generate the Assertion based on the "new" Resource Partnership and associated "UPN".

Please refer to the following KB Article which explains this situation;

TEC1111344

When there are multiple Trusted Identity Providers configured in SharePoint for the same Application, the user will be prompted by SharePoint to select the appropriate Trusted Identity Provider (TIP) to perform the Authentication. This is the same prompt received if the Application supports both Windows Authentication as well as "Claims Authentication" in the SharePoint Central Administrative Console. The name of the selections provided in the Microsoft Prompt to the users are based on the name of the Trusted Identity Providers configured for the Application, and this list may include Microsoft's Windows Authentication as a selection if configured as well.

During the SharePoint Login flow, the user follows several "302" redirects with one of them being the "prompt" to select the Trusted Identity Provider (TIP) and/or Windows Authentication if configured. To prevent this Microsoft SharePoint Prompt from being presented to your Users, the ProxyRules.xml file can be "crafted" to handle part of the "login" process by providing the proper SharePoint URL and "Trust" in the FORWARD rules to FORWARD the Login request(s) to SharePoint to utilize the proper Trusted Identity Provider (TIP).

The Single Sign On "ProxyRules" will decide which Trusted Identity Provider to use for the request instead of SharePoint determining the "Trust" thru it's 302 redirects, thus preventing the additional prompt by Microsoft SharePoint at login time.

Environment:
R12.52 SP1 Agent for SharePoint 2013
Instructions:

Following is an "EXAMPLE" ProxyRules.xml file, which is provided as is. This Example utilizes the "SMAUTHDIRNAME" default Single Sign On HEADER to determine the proper SharePoint Connection, and builds the appropriate URLs with the appropriate "trust" for the associated User Directory. Please use this "Example" as a guide in crafting appropriate Login Rules in your environment.

 

<nete:proxyrules xmlns:nete="http://FQDN_SHAREPOINTAGENT_SERVER/" debug="yes">

<nete:cond type="header" headername="SMAUTHDIRNAME">            

<!-- Check if AD authenticated and use ADTIP -->

<nete:case value="AD_USER_DIR_NAME">

<nete:xprcond>

<!-- If it is an authentication URL handle desitnation -->

<nete:xpr>

<nete:rule>^/_login/default.aspx\?;ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx(.*)</nete:rule

<nete:result>https://FQDN_SHAREPOINT_SERVER:PORT/_trust/default.aspx?trust=NAME_OF_THE_AD_TIP&amp;ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx$1</nete:result>

</nete:xpr>

<nete:xpr-default>

<nete:forward>https://FQDN_SHAREPOINT_SERVER:PORT$0</nete:forward>

</nete:xpr-default

</nete:xprcond>

</nete:case>

<!-- Else DB2 authenticated -->

<nete:default>

<nete:xprcond>

<!-- If it is an authentication URL handle destination -->

<nete:xpr>

<nete:rule>^/_login/default.aspx\?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx(.*)</nete:rule>

<nete:result>https://FQDN_SHAREPOINT_SERVER:PORT/_windows/default.aspx?trust=NAME_OF_THE_DB2_TIP&amp;ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx$1</nete:result>

</nete:xpr>

<nete:xpr-default>

<nete:forward>https://FQDN_SHAREPOINT_SERVER:PORT$0</nete:forward>

</nete:xpr-default>

      </nete:xprcond>

</nete:default>

</nete:cond>

</nete:proxyrules>

 

NOTES: The "<nete:result></nete:result>" lines shown above "MUST" be on a single line.

The "ReturnURL" for SharePoint 2010 is a different path (ReturnUrl=%2f_layouts%2fAuthenticate.asp), and the ProxyRules should be modified accordingly.

 

The following parameters need to be modified in the script above to meet your environment and requirements;

 

FQDN_SHAREPOINTAGENT_SERVER-The Fully Qualified Domain Name of the Agent for SharePoint system.

AD_USER_DIR_NAME-The name of the SSO User Directory Definition used to Authenticate the User, which is returned in the default "SMAUTHDIRNAME" HEADER.

NOTE: Please ensure the 'LegacyVariables' ACO parameter is set to "No".

FQDN_SHAREPOINT_SERVER:PORT-The Fully Qualified Domain Name and Port of the SharePoint system.

NAME_OF_THE_AD_TIP                     -      The name of the specific Trusted Identity Provider Name (trust).

NAME_OF_THE_DB2_TIP-The name of the specific Trusted Identity Provider Name (trust).

Additional Information:

TEC1111344