Project Web Access 2007 and ADFS

[AlanD]

Hi,

I'm setting up a lab demo of PWA and SharePoint operating across domains for
a UK consortium. I've followed the instuctions in technet 'Configure web SSO
authentication by using ADFS (Office SharePoint Server). For SharePoint, it
works well and is a very compelling demo.

With PWA however, I'm having a few problems. The sharepoint web application
is on myserver:8080 and the PWA is on myserver:8080/PWA, created by extending
the web app on 8080. If I add the PWA URL to both the ADFS applications
plugin and to the web.config file of the extranet site, I get a trust error
in the adfs server.

I've got a feeling I've misunderstood something, but I can't figure out
what. Any ideas?

Ta,

 

[AlanD]

Hi,

I'll answer my own question: add the /PWA extension and it seems to work but
with a certificate error. Strange, because without the /PWA extension, ADFS
works fine for the sharepoint site.

However, in PWA I have to define users. How do I define ADFS users? The ADFS
groups aren't identified e.g. Adatum SharePoint Contributors, so I get an
'access denied' error with the current login name set as it should be from
Adatum.

Strangerer and strangerer

 

[James Fraser]

Hi,

I'll answer my own question: add the /PWA extension and it seems to work but
with a certificate error. Strange, because without the /PWA extension, ADFS
works fine for the sharepoint site.

However, in PWA I have to define users. How do I define ADFS users? The ADFS
groups aren't identified e.g. Adatum SharePoint Contributors, so I get an
'access denied' error with the current login name set as it should be from
Adatum.

I don't have my notes in front of me, but if I recall correctly,
Project Server does not support ADFS users. I vaguely remember hearing
this in a discussion of Forms authenticated users: that changes to
support SharePoint Forms authentication had been made in Project
Server, but it was either that or straight AD authentication.

I would be very happy to be proven wrong on this, and I'd be
interested in hearing about any success that you have.


James Fraser

 

[AlanD]

Hi James,

Sorted.

I had been trying to access the /PWA main site from a different domain using
ADFS. Thinking about it, it was a pretty silly thing to want to do i.e. we
don't want company B to know all our projects in company A. So I created a
test project called test1, and a project website was created called
/PWA/test1 - in test1 I could then add the ADFS contributors and Readers as
per the Adatum/Trey Research setup. Lo and behold, I could then log in to
/PWA/test1 from another domain using ADFS with all the correct permissions
etc. Magic.

 

[James Fraser]

Hi James,

Sorted.

I had been trying to access the /PWA main site from a different domain using
ADFS. Thinking about it, it was a pretty silly thing to want to do i.e. we
don't want company B to know all our projects in company A. So I created a
test project called test1, and a project website was created called
/PWA/test1 - in test1 I could then add the ADFS contributors and Readers as
per the Adatum/Trey Research setup. Lo and behold, I could then log in to
/PWA/test1 from another domain using ADFS with all the correct permissions
etc. Magic.

Yes, that makes sense. While Project Server synchronizes the security
settings for the individual SharePoint Sites (Project Workspaces)
access is really controlled by SharePoint. SharePoint can deal with AD
Federated Services. Going to the /PWA site, Project Server handles
most of the security, and I don't believe Project Server can handle
ADFS.


Good to hear and learn from your experience. Thanks!...
James Fraser