Referring to 3.1.1.1 [MS-ADFSOD]: User and Relying Party in Different Realms Example | Microsoft Learn after introducing ADFS for authenticating custom users.
- The AD FS server authenticates the user, in the case of this example, by contacting Active Directory. The AD FS server then generates the security material that is passed on to the STS that authenticates for the RP and also constructs a cookie that contains information about the user authentication that has occurred. This data is sent to the client along with hidden JavaScript code in an HTTP 200 response.
See [MS-MWBF] section 4.1, step 6, and [MS-MWBF] section 4.3.6 for examples of the HTTP 200 response.
- The client executes the hidden JavaScript code, which causes it to send an HTTP POST to the STS that authenticates for the RP. The POST includes the security material generated by the AD FS server. In addition, the client stores the cookie in its cookie cache.
I found the configured WS-Federation Passive Endpoint can control which server the request includes the security material (RequestSecurityTokenResponse from WS-Trust.pdf) generated by the AD FS server was sent to in the above step 9.
Implement federated authentication in SharePoint Server - SharePoint Server | Microsoft Learn
# SharePoint URL where user is redirected upon successful authentication $redirectURL = "https://spsites.contoso.local/_trust/default.aspx"
After configuring different endpoints, I found its network activity looked like:
Can Somebody explain how it work and was it what I found or expected?
I cannot verify how it work after I googled and tested.
