ADFS and the trailing slash

The problem

Those who have experimented with ADFS authentication for the web client (or Web Drawer) may have noticed that if the trailing slash is not included in the URL then the authentication fails.

The solution

The solution is to include a trailing slash.

The details

What is actually going on here is not, technically a bug, but a feature.  The slashes in the URL separate out the realms. So when the trailing slash is ommitted ADFS considers that rather than authenticating with the HPRMWebClient realm you are actually opening the page HPRMWebClient in the www.myserver.com realm.

A 'better' solution?

I have experimented with this a fair bit, one solution would be for us to re-design the Web Client so that, for example, the base URL was /HPRMWebClient/home.  This may be a solution for the future but what about the present.  IIS URL re-write had some promise but from what I can see the ADFS authentication module kicks in before the rewrite.

So...

This post on stackoverflow provided a handy shortcut to a solution, override the authentication module to append the trailing slash if it is missing.  I have added the code, or you can download the DLL. To use this:

  1. copy the DLL to the web client bin folder,
  2. edit your web.config modules section to look like the below, and
  3. ensure that the identifier in your ADFS relying party trust is the same as your web client base URL (e.g. https://myserver.com/HPRMWebClient/)
<modules>
  <add name="FixedWSFederationAuthenticationModule" type="FixedWSFederationAuthenticationModule.FixedWSFederationAuthenticationModule, FixedWSFederationAuthenticationModule" preCondition="managedHandler" />
  <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
</modules>

An update on the Web Client and Web Client classic

If you deal with the trailing slash using the technique above in both the web client and web client classic then you will have one more thing to do.  The web client enables linking to the web client classic, if the base address does not include the trailing slash this will fail.  To fix this:

  1. edit hprmServiceAPI.config in the web client folder,
  2. find the setup element, then
  3. change the webClientClassicUrl to include a trailing slash.

For example:

<setup 
    databaseId="T1" 
    webClientClassicUrl="/HPRMWebClientClassic/" 
    searchAhead="false" 
    advancedSearch="false" 
    workpath="C:\HP Records Manager\ServiceAPIWorkpath\Uploads"/>
Written on December 9, 2015