SharePoint Server: OIDC users get redirected to landing page after reauthenticating

Posted On October 16, 2024

Problem:

Consider the following scenario:

  • You set up OIDC authentication for SharePoint Server Subscription Edition using Entra ID as the identity provider, for example, using this walkthrough.
  • You browse to a site collection and do some work there.
  • After a certain time, your authentication token expires, and reauthentication is required.
  • You click on a document library (or some other page link) to navigate to it.
  • You are redirected to Entra ID (login.microsoftonline.com) to reauthenticate.
  • After reauthenticating, the browser lands back on the home page / landing page / root of the site instead of the document library or other page you were trying to navigate to.

Cause:

When a client is redirected to authenticate to an OIDC Identity Provider (IDP), the URI that the client expects to be sent back to after authentication is listed in the “redirect_uri” property in the query string of the request.
For example, Fiddler shows that the redirect_uri for this request is “/sites/TEST1/Shared Documents/Forms/AllItems.aspx

However, some IDPs do not use or do not support the “redirect_uri” property that the client passes on authentication requests, so it gets dropped in the IDP’s response.

Solution:

You can use the “state” property, which also contains target page URI.

By setting the UseStateToRedirect property to “True” on the SharePoint Server SPTrustedIdentityTokenIssuer (trusted provider) object, you are telling SharePoint to use the URI found within the “state” property of the client query string to figure out which page to redirect the client to after authentication. You can use PowerShell to set the UseStateToRedirect property to “True” for your trusted provider.

$ti = Get-SPTrustedIdentityTokenIssuer
Set-SPTrustedIdentityTokenIssuer $ti -UseStateToRedirect:$True -IsOpenIDConnect

Now when testing the same reauthentication scenario outlined above, it should work as expected. After reauthentication, the client lands on the page they requested instead of the home page for the site.

Add a Comment