So you’re using Federated Identities with SharePoint Online…

You may have noticed that every 1-2 days you have to re-authenticate to SharePoint Online.  This is the result of an Office 365 security feature that defines a 10 hour SharePoint cookie expiration. This authentication behavior is different to BPOS SharePoint Online, where users would be prompted to authenticate one time only. If you have come from BPOS, this change in SharePoint authentication behavior is probably undesirable. If you were excited about a transparent ‘single sign-on’ experience with AD FS 2.0 and Office 365, you might even be a little disappointed.

The solution to the problems described above? Deploy Smart Links.

In short, Smart Links provide users with an improved login experience when accessing any browser based Office 365 services, including SharePoint Online. The result is a seamless and faster authentication experience. There is an Office 365 wiki article that describes what a Smart Link is, as well as an overview of the process to generate them.

This post will hopefully make your Smart Link deployment a bit easier by explaining the Smart Link generation and deployment process in detail. The method described is a little different to the Office 365 wiki method and is more efficient if you have to create a large  number of Smart Links.

Note: If a Single Sign-on experience is your goal, Smart Links are only useful when you’re using AD FS with Integrated Windows authentication. If you’re using Forms Based authentication, you will gain the advantages of a faster authentication experience and eliminate the home-realm discovery process, but SSO will not work. In other words, SSO will work for users on your internal network that are authenticating with the AD FS farm servers, but not for external users that authenticate via the AD FS proxy.

Generating Smart Links

1. Install Fiddler

2. Open Fiddler and enable HTTPS decryption

3. Open Internet Explorer, clear the cookies and restart the browser

4. Using Internet Explorer, navigate to an Office 365 SharePoint site

5. At the Office 365 Login Prompt, enter your username, check the boxes ‘Remember me’ and Keep me signed in’ and then click ‘Sign in at <yourdomain>’

6. Return to Fiddler and locate the 302 redirection session. Right-click on the 302 session, click ‘Copy’ and click ‘Just Url’

7. Open Notepad and paste the string copied in step 6. It should look something like:

https://federation.domain.com.au/adfs/ls/?cbcxt=mai&vv=&username=david.ross%40domain.com.au&mkt=&lc=3081&wa=wsignin1.0& wtrealm=urn:federation:MicrosoftOnline&wctx=MEST%3D0%26LoginOptions%3D1%26wa%3D wsignin1%252E0%26rpsnv%3D2%26ct%3D1348618157%26rver%3D6%252E1%252E6206%252 E0%26wp%3DMBI%26wreply%3Dhttps%253A%252F%252Fdomain%252Esharepoint%252Ecom %252F%255Fforms%252Fdefault%252Easpx%26lc%3D3081%26id%3D500046%26cbcxt%3Dmai %26wlidp%3D1%26guest%3D1%26bk%3D1348618158

8. Remove everything between ‘…/adfs/ls/?‘ and ‘wa=wsignin…‘, and everything after ‘…wreply%3D‘. The string now looks like:

https://federation.domain.com.au/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:Microsoft Online&wctx=MEST%3D0%26LoginOptions%3D1%26wa%3Dwsignin1%252E0%26rpsnv%3D2 %26ct%3D1348618157%26rver%3D6%252E1%252E6206%252E0%26wp%3DMBI%26wreply%3D

This is the base URL that will be used to create the Smart Links, whether you’re creating 1, or 100.

9. Next, we need to convert the SharePoint site URLs to double encoded URLs. We need to do this for all SharePoint sites that you would like to create Smart Links for. Use the following table as a reference:

ASCII Character Double-Encoded Value
: %253A
. %252E
/ %252F

The following table contains some examples of URLs and their double-encoded URL equivalent:

URL Double-Encoded URL
https://company.sharepoint.com https%253A%252F%252Fcompany%252Esharepoint%252Ecom
https://company.sharepoint.com/search https%253A%252F%252Fcompany%252Esharepoint%252Ecom%252Fsearch
https://company-10.sharepoint.com/sites/finance https%253A%252F%252Fcompany-10%252Esharepoint%252Ecom%252Fsites%252Ffinance

10. To complete the Smart Link, simply append the double encoded string to the base URL that was previously created. The end result will be a Smart Link that looks something like:

https://federation.domain.com.au/adfs/ls/?wa=wsignin1.0&wtrealm=urn:federation:Microsoft Online&wctx=MEST%3D0%26LoginOptions%3D1%26wa%3Dwsignin1%252E0%26rpsnv%3D2% 26ct%3D1348618157%26rver%3D6%252E1%252E6206%252E0%26wp%3DMBI%26wreply%3D https%253A%252F%252Fcompany%252Esharepoint%252Ecom

Deploying Smart Links

Once we have generated our Smart Links, we can deploy them using a 302 redirection service and a vanity URL. The method described below uses IIS 7 to provide the redirection service, although there are solutions that can provide this service.

1. Create a DNS record for your vanity URLs and point them to the IIS server

2. On the IIS Server, open IIS Manager

3. Right-click on the ‘Sites’ node and select ‘Add Web Site’

4. Enter a ‘Site name’. e.g. Finance Smart Link

5. Select a ‘Physical path’. e.g. C:\inetpub\temp. This will not be used.

6. In the ‘Host name’ field, enter the vanity URL that you created in step 1 and click ‘Ok’. e.g. finance.company.com

7. Double-click ‘HTTP Redirect’

8. Check the ‘Redirect requests to this destination’ checkbox, enter the Smart Link URL and click ‘Apply’

9. Repeat this process for all smart links

Now, if you attempt to access your vanity URL in a web browser, you should be authenticated and redirected to your SharePoint site.

Category:
ADFS, Office 365

Join the conversation! 8 Comments

  1. Great article, Couple of questions – if you have 100s of smart links, do you need to create 100s of IIS web sites? Also, does smart links works for document library or document URLs when one user shares information with others or does it work only for sites? Also, is there any automated tool for smart links generation?

  2. Any idea how to do this with ADFS 3.0 / Server 2012 R2 which doesn’t use IIS?

  3. Hi Rob,
    To implement Smart Links as described in this article you will have to setup a new IIS website hosted on a server on your internal LAN, separate from your ADFS infrastructure.
    You will then update your internal DNS records to direct users to your IIS server configured with Smart Links as described in this article.

  4. Merci !!!

  5. What about a redirect to WindowsAzure? https://manage.windowsazure.com/domainname.com

    The reply/redirect is different than O365.

    Here is what it looks like from Azure Portal Redirect:

    wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%3d3wEBD09BdXRoMkF1dGhvcml6ZQEPT0F1dGgyQXV0aG9yaXplARJkZWxsZm91bmRhdGlvbi5vcmcBAgEPb2F1dGgyLmF1dGhjb2RlARVvcGVuaWRjb25uZWN0LmlkdG9rZW4AASRodHRwczovL21hbmFnZW1lbnQuY29yZS53aW5kb3dzLm5ldC8BASQwMDAwMDAxMy0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAAARl1c2VyX2ltcGVyc29uYXRpb24gb3BlbmlkAAAAAAAAAAAAAQEaAAAAATJodHRwczovL21hbmFnZS53aW5kb3dzYXp1cmUuY29tL2RlbGxmb3VuZGF0aW9uLm9yZwEKAQRhcGl2AQMxLjEBDEJyYW5kaW5nSGludAEGNTAwODc5AQNjaWQBJDkwZmJmM2Q2LThkZTEtNDlkMS1hZmFmLTg5YjM2MzI0YjRmMwEKRG9tYWluSGludAESZGVsbGZvdW5kYXRpb24ub3JnAQllcnJvcl91cmkBMmh0dHBzOi8vbWFuYWdlLndpbmRvd3NhenVyZS5jb20vZGVsbGZvdW5kYXRpb24ub3JnAQ9pbmNsdWRlX2F0X2hhc2gBATEBC2ludGVyYWN0aXZlAQExAQVOb25jZQEkNjMyMjE2NWEtN2Q1Ni00NjljLWFmYjktOThiODM5OTQzYWFjAQxSZXNwb25zZU1vZGUBCWZvcm1fcG9zdAEJc2Vzc2lvbklkASQ3NmM4YjRkYy02MjgyLTRiNzktYWQzOS01M2YxMjFmMTIzYWLt0&popupui=

  6. Very helpful post. Thanks!

  7. it is working for most part. the only part that is not working is the redirection to the correct site URL.
    the site i want to redirect it to is https://contoso.sharepoint.com/sites/test.
    It is redirecting to the root site – https://contoso.sharepoint.com

    any idea what I am doing wrongly?

Comments are closed.