There is one user store, namely an on-premises AD. ADFS provides authentication for SharePoint 2013 and Power BI.
The custom web app needs to authenticate users from AD. The web app back-end also requires access to the SharePoint REST API.
The objective is to achieve the above using a single sign on. If singed in to any one of the three applications, the user should not have to input credentials for any of the other two. As well, the custom web app displays content from SharePoint (iFrame and REST API) and Power BI (iFrame).
We have tried the following two solutions but have come across an issue in either case.
What doesn't work: Navigating to Power BI or including it in an iFrame will redirect the user to the ADFS sign in page. This is because the user has not been authenticated with ADFS in the browser yet.
What doesn't work: The web app can't make REST API request to SharePoint using the SAML token received from ADFS for the web app. We have tried to use that SAML token to request another one from ADFS for SharePoint on behalf of the user signed in. That did not work either. As well, SharePoint 2013 on-premises may not accept an on behalf of request.
Is there a way to have SSO for all three applications while also having REST API access to SharePoint from the web app? The user should have to sign in only once, and preferably only in to the web app.
Registering your applications through Azure Active Directory is probably the best way to achieve what you are looking for. You can register the applications in Azure AD and then grant permissions to users by application, tenant, or policy. https://learn.microsoft.com/en-us/power-bi/developer/embed-sample-for-customers https://learn.microsoft.com/en-us/power-bi/developer/create-an-azure-active-directory-tenant
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With