Tuesday, February 26, 2013

Bypassing the Office 365 Login to SharePoint Online using FBA via ADFS with SSO

Scenario
The current environment is as follows:
  • Office 365 is configured for SSO with ADFS 2.0
  • ADFS is running forms based authentication (FBA) using a custom domain (@mydomain.com)
  • Office 365 version is E3 Plan
  • SharePoint Online TeamSites is implemented and accessible via mydomain.sharepoint.com
  • Navigating to mydomain.sharepoint.com prompts the user for Office 365 login. Entering user@mydomain.com provides a link to login at the domain. Clicking the link presents the form to sign-in on the ADFS server


Desired Results
Present a link that will take the user directly to the FBA login and then authenticate them to SharePoint Online. Once logged in, SharePoint Online is presented via mydomain.sharepoint.com. There is no Office 365 login presented.


Solution
If you don't mind having a long URL (which can be easily added to an anchor tag in HTML), here is a solution for the desired results:

  1. Logout of Office 365, Windows Live, etc.
  2. In a new browser, enter the SharePoint Online address (e.g. mydomain.sharepoint.com)
  3. Enter a domain user (e.g. steve@mydomain.com) into the Office 365 login. A link appears to login to the domain.
  4. Click on the link.
  5. Copy the current URL from the browser and paste it into Notepad (or other text editor)
  6. Remove the &username portion in the beginning (e.g. &username=steve%40mydomain.com)
  7. The URL at this will work but I did see issues when having other people test it. Therefore, also remove "%252F%255Fforms%252Fdefault%252Easpx" that appears in the URL after the sharepoint%252Ecom (or whatever your .com is).
The resultant URL should be generic now and take users directly to the FBA form to login to SharePoint Online. The user must have a SharePoint Online license assigned in Office 365 as well as have Read access to the main team site.


 

10 comments:

  1. Hi Steve,

    HAPPY NEW YEAR!

    Thank you very much for sharing a great article. Are your steps posted above the solution to the challenge we are having below?
    • We are using Project Online with SharePoint Online with Office 365.
    • We are trying to find a solution to brand/ (if branding is not possible) get rid of the Office 365 log in page.
    • What we are trying to achieve is:
    • 1. Users click on a link, say: https://abc.sharepoint.com/project1/
    • 2. Instead of seeing Office 365 login page, we would like them to be able to see the login page with our own brand or a login box to enter username and password.

    Sincerely, we really appreciate your kind help.

    Charlotte Tang
    charlottetang10@hotmail.com

    ReplyDelete
    Replies
    1. Yes. My steps will solve your problem but you must have forms-based authentication implemented in ADFS.

      Delete
  2. Thank you! I found this very useful. Works perfectly.

    ReplyDelete
  3. Hi Steve,

    This is great information. Our environment is very similar. This is what ours looks like:

    Office 365 is federated through Okta
    Office 365 version is E3 Plan
    SharePoint Online TeamSites is implemented and accessible via mydomain.sharepoint.com
    Navigating to mydomain.sharepoint.com prompts the user for Office 365 login. Entering user@mydomain.com provides a log in screen once user authenticates through Office 365 they in.

    Do you know of a way to bypass the authentication through Office 365 if our federation is through a third party (Okta)?

    Thanks,
    Ga-Hsin

    ReplyDelete
    Replies
    1. You would probably need to discuss with Okta.

      Delete
  4. Hi Steve,

    I read the FBA article in your blog, Its really very impressed me

    ReplyDelete
  5. Dear Steve Mann,

    Would you mind to show me how to configure forms-based authentication implemented in ADFS for SharePoint ?

    Many thanks,
    David

    ReplyDelete
    Replies
    1. I haven't done this in awhile. I remember there being a ton of steps. I believe I have screenshots that you may be able glean the process.

      Delete
  6. Can you share me your sreenshots ? I have one Sharepoint 2013 web app with mixed authentications (Windows, FBA and SAML token-ADFS). Now SAML users have Single Sign On (SSO) for all SharePoint sites and SharePoint-hosted Apps. Is it possible for FBA users also have SSO ? If so, please show me the guides. Thanks

    ReplyDelete
    Replies
    1. send me an email.

      Steve at stevethemanmann.com

      Delete