Fix all ADFS test failures for id4slab1 lab migration

ClientCredentialsTests.NetFwk.cs:
- Fix audience check: Contains('/adfs/') fails for authority without trailing
  slash. Changed to Contains('/adfs'). Bug introduced in a51b7f6 (Avery-Dunn,
  Jan 15 2026), never caught because IGNORE_FEDERATED was still gating tests.
  Also required server-side fixes on ADDC1 (cert in Root store + JWTSigningKey).

UsernamePasswordIntegrationTests.NetFwk.cs:
- Use AppAdfsNativeClient (ADFS NativeClientApplication GUID) instead of
  AppPCAClient (ServerApplication GUID). ADFS ServerApplications require client
  auth; public client ROPC flows need a NativeClientApplication registration.

InteractiveFlowTests.NetFwk.cs:
- Same AppAdfsNativeClient fix for Interactive_Adfs_DirectAsync.

KeyVaultSecrets.cs:
- Add AppAdfsNativeClient = 'App-AdfsNativeClient-Config' constant pointing to
  NativeClientApplication (c697bd8e-16d8-4f73-97d8-262e446581c2) registered
  in MSAL-Lab-Tests group on ADDC1.

SeleniumExtensions.cs / UserInformationFieldIds.cs:
- Simplify EnterPassword: remove redundant ADFS fallback logic (now handled
  upstream by DetermineFieldIds with OrdinalIgnoreCase comparison).

Server-side changes on ADDC1 (permanent, not code):
- NativeClientApplication 'MSAL-Lab-Client-Native' registered in MSAL-Lab-Tests
- KV secret 'App-AdfsNativeClient-Config' created in id4skeyvault

All 11 ADFS tests now pass locally (8 on NetCore, 3 on NetFx).

Author: RyAuld

tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsTests.NetFwk.cs

@@ -557,7 +557,7 @@ private static IConfidentialClientApplication CreateApp(
                     break;
                 case CredentialType.ClientAssertion_Manual:
 
-                    var aud = authority.Contains("/adfs/") ?
+                    var aud = authority.Contains("/adfs") ?
                         authority + "/oauth2/token" :
                         authority + "/oauth2/v2.0/token";
 
@@ -569,7 +569,7 @@ private static IConfidentialClientApplication CreateApp(
                     break;
 
                 case CredentialType.ClientAssertion_Wilson:
-                    var aud2 = authority.Contains("/adfs/") ?
+                    var aud2 = authority.Contains("/adfs") ?
                        authority + "/oauth2/token" :
                        authority + "/oauth2/v2.0/token";
 

tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/UsernamePasswordIntegrationTests.NetFwk.cs

@@ -86,7 +86,7 @@ public async Task ROPC_ADFSv4Federated_Async()
         public async Task AcquireTokenFromAdfsUsernamePasswordAsync()
         {
             var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserFederated).ConfigureAwait(false);
-            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppPCAClient).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppAdfsNativeClient).ConfigureAwait(false);
 
             // Use the new ADFS authority and disable validation since ADFS infrastructure is not fully available
             Uri authorityUri = new Uri("https://fs.id4slab1.com/adfs");

tests/Microsoft.Identity.Test.Integration.netcore/Infrastructure/SeleniumExtensions.cs

@@ -318,33 +318,10 @@ private static void EnterPassword(IWebDriver driver, UserConfig user, UserInform
             Trace.WriteLine("Logging in ... Entering password");
             string password = user.GetOrFetchPassword();
             string passwordField = fields.GetPasswordInputId();
-            string signInButton = fields.GetPasswordSignInButtonId();
-
-            // Try the configured field with a short timeout first. If the browser was redirected
-            // to an ADFS login page (e.g. federated user whose UserType is not set to "Federated"),
-            // the ADFS page uses different element IDs than AAD. Fall back to ADFS field IDs.
-            var pwdElement = driver.WaitForElementToBeVisibleAndEnabled(
-                By.Id(passwordField),
-                waitTime: ShortExplicitTimespan,
-                ignoreFailures: true);
-
-            if (pwdElement == null && passwordField != CoreUiTestConstants.AdfsV4WebPasswordId)
-            {
-                Trace.WriteLine($"Password field '{passwordField}' not found, falling back to ADFS field IDs");
-                passwordField = CoreUiTestConstants.AdfsV4WebPasswordId;
-                signInButton = CoreUiTestConstants.AdfsV4WebSubmitId;
-                pwdElement = driver.WaitForElementToBeVisibleAndEnabled(By.Id(passwordField));
-            }
-            else if (pwdElement == null)
-            {
-                // Already using ADFS IDs but element still not found — re-wait to surface the timeout exception
-                pwdElement = driver.WaitForElementToBeVisibleAndEnabled(By.Id(passwordField));
-            }
-
-            pwdElement.SendKeys(password);
+            driver.WaitForElementToBeVisibleAndEnabled(By.Id(passwordField)).SendKeys(password);
 
             Trace.WriteLine("Logging in ... Clicking next after password");
-            driver.WaitForElementToBeVisibleAndEnabled(By.Id(signInButton)).Click();
+            driver.WaitForElementToBeVisibleAndEnabled(By.Id(fields.GetPasswordSignInButtonId())).Click();
         }
 
         private static void EnterUsername(IWebDriver driver, UserConfig user, bool withLoginHint, bool adfsOnly, UserInformationFieldIds fields)

tests/Microsoft.Identity.Test.Integration.netcore/Infrastructure/UserInformationFieldIds.cs

@@ -64,8 +64,6 @@ public string AADUsernameInputId
 
         private void DetermineFieldIds()
         {
-            // Use case-insensitive comparison: KeyVault stores "federated" (lowercase)
-            // but LabConstants.UserTypeFederated is "Federated".
             if (string.Equals(_user.UserType, LabConstants.UserTypeFederated, StringComparison.OrdinalIgnoreCase))
             {
                 _passwordInputId = CoreUiTestConstants.AdfsV4WebPasswordId;

tests/Microsoft.Identity.Test.Integration.netcore/SeleniumTests/InteractiveFlowTests.NetFwk.cs

@@ -144,7 +144,7 @@ public async Task Interactive_Arlington_MultiCloudSupport_AADAsync()
         public async Task Interactive_Adfs_DirectAsync()
         {
             var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserFederated).ConfigureAwait(false);
-            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppPCAClient).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppAdfsNativeClient).ConfigureAwait(false);
             await RunTestForUserAsync(user, app, true).ConfigureAwait(false);
         }      
 

tests/Microsoft.Identity.Test.LabInfrastructure/KeyVaultSecrets.cs

@@ -23,6 +23,7 @@ public static class KeyVaultSecrets
         //  - Broad test scenarios
         public const string AppS2S = "App-S2S-Config";
         public const string AppPCAClient = "App-PCAClient-Config";
+        public const string AppAdfsNativeClient = "App-AdfsNativeClient-Config";
         public const string AppWebApi = "App-WebApi-Config";
         //  - More specific test scenarios, edge cases, etc.
         public const string B2CAppIdLabsAppB2C = "MSAL-App-B2C-JSON";