I have been trying to make this work for a while and my head is starting to swim...
I am trying to make a local ADFS 3.0 instance be able to authenticate users in both local AD and Azure AD. Ideally ADFS would allow Windows Integrated Auth for domain joined devices. If not it would present a forms login page. When the user entered their ID/PW it would check Azure AD if the credentials are valid. I have my local AD synced with Azure AD so my internal users are there, and I have a few accounts that are only in Azure AD. I am doing this so that internal and external user accounts can access an on-prem SharePoint site (not O365/SharePoint Online!).
I followed the steps in this article to setup the SSO between ADFS and Azure. I do see the windows.net entry under Claims Provider Trusts in ADFS. I have also configured a relying party in Azure ACS with the realm and DNS information that matches my ADFS server.
If I add the ADFS server to the list of intranet sites so Windows Integrated Auth works I do not see the login prompt and am redirected to my SP site as expected. If the ADFS server is not in the list of intranet sites when I am redirected to ADFS I am presented with a page titled Home Realm Discovery with two options: ADFS and the display name for the windows.net claims provider. If I choose ADFS I can sign in with internal AD account no problem but it’s a Windows ID/PW prompt. If I choose the Windows.net I can authenticate with an Azure AD-only account just fine, but I get this error message when the browser redirects after the ID/PW validation:
“Sorry, but we’re having trouble signing you in.
We received a bad request.
Additional technical information:
Correlation ID: 07ec79b8-7484-4667-be45-cffe864854a9
Timestamp: 2014-12-17 16:13:10Z
AADSTS70001: Application with identifier (my ADFS server’s FQDN) was not found in the directory daab1e92-e868-4495-8e6d-156727c0d612”
From what I can tell by the above error, Azure ACS thinks I am trying to access an Azure application, which I am not. I just want the validation to occur and be redirected to my SP server. I know this may sound a bit convoluted but there are a couple other factors for why I am doing it this way that are not applicable to this post.
I know I am missing something simple but I can’t figure out what I am missing in order to search for it. I would rather not make the user choose which source to authenticate against. I would rather it just be a simple login form and let ADFS figure it out. Since Azure AD should/could be the only source for ID/PW validation once integrated auth fails this should be possible, right?
If its still not clear what I am trying to achieve, here is a slightly simplistic drawing of what I am trying to accomplish:
