So you’re using Federated Identities with SharePoint Online…
You may have noticed that every 1-2 days you have to re-authenticate to SharePoint Online. This is the result of an Office 365 security feature that defines a 10 hour SharePoint cookie expiration. This authentication behavior is different to BPOS SharePoint Online, where users would be prompted to authenticate one time only. If you have come from BPOS, this change in SharePoint authentication behavior is probably undesirable. If you were excited about a transparent ‘single sign-on’ experience with AD FS 2.0 and Office 365, you might even be a little disappointed.
The solution to the problems described above? Deploy Smart Links.
In short, Smart Links provide users with an improved login experience when accessing any browser based Office 365 services, including SharePoint Online. The result is a seamless and faster authentication experience. There is an Office 365 wiki article that describes what a Smart Link is, as well as an overview of the process to generate them.
This post will hopefully make your Smart Link deployment a bit easier by explaining the Smart Link generation and deployment process in detail. The method described is a little different to the Office 365 wiki method and is more efficient if you have to create a large number of Smart Links.
Note: If a Single Sign-on experience is your goal, Smart Links are only useful when you’re using AD FS with Integrated Windows authentication. If you’re using Forms Based authentication, you will gain the advantages of a faster authentication experience and eliminate the home-realm discovery process, but SSO will not work. In other words, SSO will work for users on your internal network that are authenticating with the AD FS farm servers, but not for external users that authenticate via the AD FS proxy.
Generating Smart Links
1. Install Fiddler
2. Open Fiddler and enable HTTPS decryption
3. Open Internet Explorer, clear the cookies and restart the browser
4. Using Internet Explorer, navigate to an Office 365 SharePoint site
5. At the Office 365 Login Prompt, enter your username, check the boxes ‘Remember me’ and Keep me signed in’ and then click ‘Sign in at <yourdomain>’
6. Return to Fiddler and locate the 302 redirection session. Right-click on the 302 session, click ‘Copy’ and click ‘Just Url’
7. Open Notepad and paste the string copied in step 6. It should look something like:
https://federation.domain.com.au/adfs/ls/?cbcxt=mai&vv=&username=david.ross%40domain.com.au&mkt=&lc=3081&wa=wsignin1.0& wtrealm=urn:federation:MicrosoftOnline&wctx=MEST%3D0%26LoginOptions%3D1%26wa%3D wsignin1%252E0%26rpsnv%3D2%26ct%3D1348618157%26rver%3D6%252E1%252E6206%252 E0%26wp%3DMBI%26wreply%3Dhttps%253A%252F%252Fdomain%252Esharepoint%252Ecom %252F%255Fforms%252Fdefault%252Easpx%26lc%3D3081%26id%3D500046%26cbcxt%3Dmai %26wlidp%3D1%26guest%3D1%26bk%3D1348618158
8. Remove everything between ‘…/adfs/ls/?‘ and ‘wa=wsignin…‘, and everything after ‘…wreply%3D‘. The string now looks like:
https://federation.domain.com.au/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:Microsoft Online&wctx=MEST%3D0%26LoginOptions%3D1%26wa%3Dwsignin1%252E0%26rpsnv%3D2 %26ct%3D1348618157%26rver%3D6%252E1%252E6206%252E0%26wp%3DMBI%26wreply%3D
This is the base URL that will be used to create the Smart Links, whether you’re creating 1, or 100.
9. Next, we need to convert the SharePoint site URLs to double encoded URLs. We need to do this for all SharePoint sites that you would like to create Smart Links for. Use the following table as a reference:
|ASCII Character||Double-Encoded Value|
The following table contains some examples of URLs and their double-encoded URL equivalent:
10. To complete the Smart Link, simply append the double encoded string to the base URL that was previously created. The end result will be a Smart Link that looks something like:
https://federation.domain.com.au/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:Microsoft Online&wctx=MEST%3D0%26LoginOptions%3D1%26wa%3Dwsignin1%252E0%26rpsnv%3D2% 26ct%3D1348618157%26rver%3D6%252E1%252E6206%252E0%26wp%3DMBI%26wreply%3D https%253A%252F%252Fcompany%252Esharepoint%252Ecom
Deploying Smart Links
Once we have generated our Smart Links, we can deploy them using a 302 redirection service and a vanity URL. The method described below uses IIS 7 to provide the redirection service, although there are solutions that can provide this service.
1. Create a DNS record for your vanity URLs and point them to the IIS server
2. On the IIS Server, open IIS Manager
3. Right-click on the ‘Sites’ node and select ‘Add Web Site’
4. Enter a ‘Site name’. e.g. Finance Smart Link
5. Select a ‘Physical path’. e.g. C:\inetpub\temp. This will not be used.
6. In the ‘Host name’ field, enter the vanity URL that you created in step 1 and click ‘Ok’. e.g. finance.company.com
7. Double-click ‘HTTP Redirect’
8. Check the ‘Redirect requests to this destination’ checkbox, enter the Smart Link URL and click ‘Apply’
9. Repeat this process for all smart links
Now, if you attempt to access your vanity URL in a web browser, you should be authenticated and redirected to your SharePoint site.