Open
Conversation
- Comment out MSAL_SKIP_FEDERATED_TESTS prop in Directory.Build.props so ADFS tests always run regardless of pipeline variable group - Update ADFSAuthority constant to point to fs.id4slab1.com (new lab) - Remove unused Adfs2019LabConstants class (no references in codebase)
bgavrilMS
approved these changes
Mar 5, 2026
bgavrilMS
reviewed
Mar 5, 2026
- UserInformationFieldIds.DetermineFieldIds: use OrdinalIgnoreCase for
UserType comparisons. KeyVault stores 'federated' (lowercase) but
LabConstants.UserTypeFederated is 'Federated', causing the case-sensitive
== to fall through to AAD field IDs on an ADFS page (root cause).
- InteractiveFlowTests.RunTestForUserAsync: use FindFreeLocalhostRedirectUri()
for the non-direct path to avoid HttpListenerException port conflict with
Interactive_Adfs_DirectAsync on localhost:52073. AAD public client apps
accept any http://localhost:{port} so a dynamic port is valid here.
ClientCredentialsTests.NetFwk.cs:
- Fix audience check: Contains('/adfs/') fails for authority without trailing
slash. Changed to Contains('/adfs'). Bug introduced in a51b7f6 (Avery-Dunn,
Jan 15 2026), never caught because IGNORE_FEDERATED was still gating tests.
Also required server-side fixes on ADDC1 (cert in Root store + JWTSigningKey).
UsernamePasswordIntegrationTests.NetFwk.cs:
- Use AppAdfsNativeClient (ADFS NativeClientApplication GUID) instead of
AppPCAClient (ServerApplication GUID). ADFS ServerApplications require client
auth; public client ROPC flows need a NativeClientApplication registration.
InteractiveFlowTests.NetFwk.cs:
- Same AppAdfsNativeClient fix for Interactive_Adfs_DirectAsync.
KeyVaultSecrets.cs:
- Add AppAdfsNativeClient = 'App-AdfsNativeClient-Config' constant pointing to
NativeClientApplication (c697bd8e-16d8-4f73-97d8-262e446581c2) registered
in MSAL-Lab-Tests group on ADDC1.
SeleniumExtensions.cs / UserInformationFieldIds.cs:
- Simplify EnterPassword: remove redundant ADFS fallback logic (now handled
upstream by DetermineFieldIds with OrdinalIgnoreCase comparison).
Server-side changes on ADDC1 (permanent, not code):
- NativeClientApplication 'MSAL-Lab-Client-Native' registered in MSAL-Lab-Tests
- KV secret 'App-AdfsNativeClient-Config' created in id4skeyvault
All 11 ADFS tests now pass locally (8 on NetCore, 3 on NetFx).
Contributor
There was a problem hiding this comment.
Pull request overview
This PR re-enables ADFS integration tests that were being silently skipped due to a pipeline variable (MSAL_SKIP_FEDERATED_TESTS=True). It migrates all ADFS lab references from the old msidlab8 lab to the new id4slab1 lab, updates app configurations to use the correct ADFS-specific native client secret, and applies several bug fixes to ensure tests work correctly in the new lab environment.
Changes:
- Migrated ADFS authority/environment references from
fs.msidlab8.comtofs.id4slab1.comacross test constants and test files, and removed the unusedAdfs2019LabConstantsclass. - Changed
Directory.Build.propsto preventIGNORE_FEDERATEDfrom being defined when the pipeline variable isTrue, re-enabling all ADFS tests. - Fixed test infrastructure: added
AppAdfsNativeClientkey vault secret, switched ADFS-direct tests to the correct app config, used dynamic ports to avoid parallel test conflicts, fixed string comparisons to case-insensitive, and corrected/adfs/→/adfsContains checks to match the new authority format (no trailing slash).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
tests/Directory.Build.props |
Changed condition from == 'True' to == 'False' to prevent IGNORE_FEDERATED from being defined when the pipeline variable is True |
tests/Microsoft.Identity.Test.Common/TestConstants.cs |
Updated ADFSAuthority to id4slab1; removed unused Adfs2019LabConstants class |
tests/Microsoft.Identity.Test.Unit/pop/PoPTests.cs |
Updated cache environment from fs.msidlab8.com to fs.id4slab1.com |
tests/Microsoft.Identity.Test.LabInfrastructure/KeyVaultSecrets.cs |
Added AppAdfsNativeClient key vault secret constant |
tests/Microsoft.Identity.Test.Integration.netcore/SeleniumTests/InteractiveFlowTests.NetFwk.cs |
Switched ADFS direct test to AppAdfsNativeClient; used dynamic port for AAD path to avoid parallel test conflicts |
tests/Microsoft.Identity.Test.Integration.netcore/Infrastructure/UserInformationFieldIds.cs |
Changed == to string.Equals with OrdinalIgnoreCase for user type comparison |
tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/UsernamePasswordIntegrationTests.NetFwk.cs |
Switched ADFS username/password test to AppAdfsNativeClient |
tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsTests.NetFwk.cs |
Fixed .Contains("/adfs/") to .Contains("/adfs") to match new authority format without trailing slash |
You can also share your feedback on Copilot code review. Take the survey.
RyAuld
force-pushed
the
ryauld/ADFS-ReEnable
branch
from
cb497a6 to
043895c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
You can also share your feedback on Copilot code review. Take the survey.
RyAuld
force-pushed
the
ryauld/ADFS-ReEnable
branch
from
043895c to
fd4eda5
Compare
RyAuld
changed the title
gladjohn
approved these changes
Mar 9, 2026
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Re-enable ADFS tests for id4slab1 lab migration
Migrates all ADFS integration tests from the retired lab to
fs.id4slab1.comand fixes every failure uncovered once they were un-skipped.Background
ADFS tests have been gated by the
IGNORE_FEDERATEDcompile symbol, which is controlled by theMSAL_SKIP_FEDERATED_TESTSMSBuild variable. That variable is set to"True"as a permanent pipeline-level default in ADO pipeline #905 (.NET MSAL PR (YAML)). Changing it would affect all concurrent PR builds, so it was not touched. Instead, the condition intests/Directory.Build.propswas temporarily commented out during development to force tests to run locally and in a validation build, then restored to matchmainfor merge (see commitfd4eda5e5).Commits
93bd19efc— Re-enable ADFS tests for id4slab1 migrationADFSAuthorityconstant tohttps://fs.id4slab1.com/adfsAdfs2019LabConstantsclassMSAL_SKIP_FEDERATED_TESTSprop intests/Directory.Build.propsto force ADFS tests to run in CI regardless of the pipeline variable (see validation note below)b480f881f— Fix PopWhithAdfsUserAndBroker_Async cache environment8658c75a2— Fix ADFS interactive Selenium test failuresUserInformationFieldIds.DetermineFieldIds: changedUserTypestring comparison toOrdinalIgnoreCase. KeyVault stores"federated"(lowercase) butLabConstants.UserTypeFederatedis"Federated"— the case-sensitive==fell through to AAD field IDs on the ADFS page.InteractiveFlowTests.RunTestForUserAsync: switched toFindFreeLocalhostRedirectUri()for the federated-path test to avoid anHttpListenerExceptionport conflict withInteractive_Adfs_DirectAsyncon the hardcodedlocalhost:52073.45c22049e— Fix all ADFS test failures for id4slab1 lab migrationClientCredentialsTests.NetFwk.cs: fixed JWT audience check usingContains("/adfs/")which fails when the authority has no trailing slash — changed toContains("/adfs"). Regression introduced ina51b7f68a(Jan 2026), never caught becauseIGNORE_FEDERATEDwas still active. Also required server-side fixes on ADDC1 (cert added toLocalMachine\Root,JWTSigningKeyconfigured).UsernamePasswordIntegrationTests.NetFwk.csandInteractiveFlowTests.NetFwk.cs: switched fromAppPCAClient(aServerApplicationwhich requires client auth) to newAppAdfsNativeClient. ADFS public client flows (ROPC, interactive) require aNativeClientApplicationregistration —ServerApplications reject them withMSIS9622.KeyVaultSecrets.cs: addedAppAdfsNativeClient = "App-AdfsNativeClient-Config"constant.MSAL-Lab-Client-Native(c697bd8e-16d8-4f73-97d8-262e446581c2) in theMSAL-Lab-Testsgroup; created KV secretApp-AdfsNativeClient-Configinid4skeyvault.fd4eda5e5— Restore tests/Directory.Build.props to match mainMSAL_SKIP_FEDERATED_TESTS == 'True'condition intests/Directory.Build.propsto exactly matchorigin/main, so the pipeline variable behaviour is unchanged post-merge.Testing
All 11 ADFS tests were validated locally (with the props condition temporarily disabled) and in ADO build #1601983 where they all passed:
Interactive_Adfs_FederatedAsyncInteractive_Adfs_DirectAsyncROPC_ADFSv4Federated_AsyncAcquireTokenFromAdfsUsernamePasswordAsyncWithCertificate_TestAsync (Adfs,NetFx)WithCertificate_TestAsync (Adfs,NetCore)WithClientAssertion_Manual_TestAsync (Adfs,NetCore)WithClientAssertion_Wilson_TestAsync (Adfs,NetFx)WithSecret_TestAsync (Adfs,NetFx)WithClientClaims_OverrideClaims_TestAsync (Adfs,NetCore)WithClientClaims_SendX5C_OverrideClaims_TestAsync (Adfs,NetCore)Build #1602009 (triggered by final commit
fd4eda5e5) shows tests skipped — expected, because the props file now respects the pipeline-levelMSAL_SKIP_FEDERATED_TESTS=Truevariable again.Post-merge action required
To make ADFS tests run by default in all future PR builds, change the ADO pipeline variable after merging:
MSAL_SKIP_FEDERATED_TESTSfromTrue→FalseIndividual builds can still override this at queue time since "Allow override at queue time" is enabled on the variable.