Fix ADFS tests for id4slab1 lab migration. (#5810)

* Re-enable ADFS tests for id4slab1 migration

- Comment out MSAL_SKIP_FEDERATED_TESTS prop in Directory.Build.props so ADFS tests always run regardless of pipeline variable group
- Update ADFSAuthority constant to point to fs.id4slab1.com (new lab)
- Remove unused Adfs2019LabConstants class (no references in codebase)

* Fix PopWhithAdfsUserAndBroker_Async cache environment after ADFS authority migration

* Fix ADFS interactive Selenium test failures

- UserInformationFieldIds.DetermineFieldIds: use OrdinalIgnoreCase for
  UserType comparisons. KeyVault stores 'federated' (lowercase) but
  LabConstants.UserTypeFederated is 'Federated', causing the case-sensitive
  == to fall through to AAD field IDs on an ADFS page (root cause).

- InteractiveFlowTests.RunTestForUserAsync: use FindFreeLocalhostRedirectUri()
  for the non-direct path to avoid HttpListenerException port conflict with
  Interactive_Adfs_DirectAsync on localhost:52073. AAD public client apps
  accept any http://localhost:{port} so a dynamic port is valid here.

* Fix all ADFS test failures for id4slab1 lab migration

ClientCredentialsTests.NetFwk.cs:
- Fix audience check: Contains('/adfs/') fails for authority without trailing
  slash. Changed to Contains('/adfs'). Bug introduced in a51b7f6 (Avery-Dunn,
  Jan 15 2026), never caught because IGNORE_FEDERATED was still gating tests.
  Also required server-side fixes on ADDC1 (cert in Root store + JWTSigningKey).

UsernamePasswordIntegrationTests.NetFwk.cs:
- Use AppAdfsNativeClient (ADFS NativeClientApplication GUID) instead of
  AppPCAClient (ServerApplication GUID). ADFS ServerApplications require client
  auth; public client ROPC flows need a NativeClientApplication registration.

InteractiveFlowTests.NetFwk.cs:
- Same AppAdfsNativeClient fix for Interactive_Adfs_DirectAsync.

KeyVaultSecrets.cs:
- Add AppAdfsNativeClient = 'App-AdfsNativeClient-Config' constant pointing to
  NativeClientApplication (c697bd8e-16d8-4f73-97d8-262e446581c2) registered
  in MSAL-Lab-Tests group on ADDC1.

SeleniumExtensions.cs / UserInformationFieldIds.cs:
- Simplify EnterPassword: remove redundant ADFS fallback logic (now handled
  upstream by DetermineFieldIds with OrdinalIgnoreCase comparison).

Server-side changes on ADDC1 (permanent, not code):
- NativeClientApplication 'MSAL-Lab-Client-Native' registered in MSAL-Lab-Tests
- KV secret 'App-AdfsNativeClient-Config' created in id4skeyvault

All 11 ADFS tests now pass locally (8 on NetCore, 3 on NetFx).

* Restore tests/Directory.Build.props to match main (MSAL_SKIP_FEDERATED_TESTS == True)

* Fix ADFS authority detection: use Uri path segment comparison instead of string.Contains

Author: RyAuld

src/client/Microsoft.Identity.Lab.Api/Internal/TestConstants.cs

@@ -53,6 +53,11 @@ public static class KeyVaultSecrets
         /// </summary>
         public const string AppPCAClient = "App-PCAClient-Config";
         /// <summary>
+        /// Application configuration for ADFS native client testing scenarios. ADFS public client flows (ROPC, interactive)
+        /// require a NativeClientApplication registration — ServerApplications reject them with MSIS9622.
+        /// </summary>
+        public const string AppAdfsNativeClient = "App-AdfsNativeClient-Config";
+        /// <summary>
         /// Represents the configuration key for the application's Web API settings.
         /// </summary>
         public const string AppWebApi = "App-WebApi-Config";

src/client/Microsoft.Identity.Lab.Api/LabInfra/KeyVaultSecrets.cs

@@ -13,6 +13,7 @@ const Microsoft.Identity.Test.Common.TestCategories.TokenCacheTests = "TokenCach
 const Microsoft.Identity.Test.Common.TestCategories.UnifiedSchemaValidation = "UnifiedSchema_Validation" -> string
 const Microsoft.Identity.Test.LabInfrastructure.KeyVaultInstance.MsalTeam = "https://id4skeyvault.vault.azure.net/" -> string
 const Microsoft.Identity.Test.LabInfrastructure.KeyVaultInstance.MSIDLab = "https://msidlabs.vault.azure.net" -> string
+const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppAdfsNativeClient = "App-AdfsNativeClient-Config" -> string
 const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppPCAClient = "App-PCAClient-Config" -> string
 const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppS2S = "App-S2S-Config" -> string
 const Microsoft.Identity.Test.LabInfrastructure.KeyVaultSecrets.AppWebApi = "App-WebApi-Config" -> string
@@ -50,7 +51,7 @@ const Microsoft.Identity.Test.Unit.TestConstants.ATSecret3 = "some-access-token3
 const Microsoft.Identity.Test.Unit.TestConstants.AadAuthorityWithMsftTenantId = "https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/" -> string
 const Microsoft.Identity.Test.Unit.TestConstants.AadAuthorityWithTestTenantId = "https://login.microsoftonline.com/751a212b-4003-416e-b600-e1f48e40db9f/" -> string
 const Microsoft.Identity.Test.Unit.TestConstants.AadTenantId = "751a212b-4003-416e-b600-e1f48e40db9f" -> string
-const Microsoft.Identity.Test.Unit.TestConstants.ADFSAuthority = "https://fs.msidlab8.com/adfs/" -> string
+const Microsoft.Identity.Test.Unit.TestConstants.ADFSAuthority = "https://fs.id4slab1.com/adfs/" -> string
 const Microsoft.Identity.Test.Unit.TestConstants.ADFSAuthority2 = "https://someAdfs.com/adfs/" -> string
 const Microsoft.Identity.Test.Unit.TestConstants.AppServiceEndpoint = "http://127.0.0.1:41564/msi/token" -> string
 const Microsoft.Identity.Test.Unit.TestConstants.AuthorityCommonPpeAuthority = "https://login.windows-ppe.net/common/" -> string

src/client/Microsoft.Identity.Lab.Api/PublicAPI.Unshipped.txt

@@ -555,6 +555,13 @@ private static IConfidentialClientApplication CreateApp(
                 .WithAuthority(authority, true)
                 .WithTestLogging();
 
+            var authorityUri = new Uri(authority);
+            bool isAdfs = authorityUri.AbsolutePath.Equals("/adfs", StringComparison.OrdinalIgnoreCase) ||
+                authorityUri.AbsolutePath.StartsWith("/adfs/", StringComparison.OrdinalIgnoreCase);
+            string adfsAud = isAdfs ?
+                authority + "/oauth2/token" :
+                authority + "/oauth2/v2.0/token";
+
             switch (credentialType)
             {
                 case CredentialType.Cert:
@@ -564,27 +571,18 @@ private static IConfidentialClientApplication CreateApp(
                     builder.WithClientSecret(secret);
                     break;
                 case CredentialType.ClientAssertion_Manual:
-
-                    var aud = authority.Contains("/adfs/") ?
-                        authority + "/oauth2/token" :
-                        authority + "/oauth2/v2.0/token";
-
                     builder.WithClientAssertion(() => GetSignedClientAssertionManual(
                       clientId,
-                      aud, // for AAD use v2.0, but not for ADFS
+                      adfsAud, // for AAD use v2.0, but not for ADFS
                       cert,
                       useSha2AndPssForAssertion));
                     break;
 
                 case CredentialType.ClientAssertion_Wilson:
-                    var aud2 = authority.Contains("/adfs/") ?
-                       authority + "/oauth2/token" :
-                       authority + "/oauth2/v2.0/token";
-
                     builder.WithClientAssertion(
                         () => GetSignedClientAssertionUsingWilson(
                             clientId,
-                            aud2,
+                            adfsAud,
                             cert));
                     break;
 #pragma warning disable CS0618 // Type or member is obsolete

tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/ClientCredentialsTests.NetFwk.cs

@@ -80,7 +80,7 @@ public async Task ROPC_ADFSv4Federated_Async()
         public async Task AcquireTokenFromAdfsUsernamePasswordAsync()
         {
             var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserFederated).ConfigureAwait(false);
-            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppPCAClient).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppAdfsNativeClient).ConfigureAwait(false);
 
             // Use the new ADFS authority and disable validation since ADFS infrastructure is not fully available
             Uri authorityUri = new Uri("https://fs.id4slab1.com/adfs");

tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/UsernamePasswordIntegrationTests.NetFwk.cs

@@ -64,14 +64,14 @@ public string AADUsernameInputId
 
         private void DetermineFieldIds()
         {
-            if (_user.UserType == LabConstants.UserTypeFederated)
+            if (string.Equals(_user.UserType, LabConstants.UserTypeFederated, StringComparison.OrdinalIgnoreCase))
             {
                 _passwordInputId = CoreUiTestConstants.AdfsV4WebPasswordId;
                 _passwordSignInButtonId = CoreUiTestConstants.AdfsV4WebSubmitId;
                 return;
             }
 
-            if (_user.UserType == LabConstants.UserTypeB2C)
+            if (string.Equals(_user.UserType, LabConstants.UserTypeB2C, StringComparison.OrdinalIgnoreCase))
             {
                 DetermineB2CFieldIds();
                 return;

tests/Microsoft.Identity.Test.Integration.netcore/Infrastructure/UserInformationFieldIds.cs

@@ -138,7 +138,7 @@ public async Task Interactive_Arlington_MultiCloudSupport_AADAsync()
         public async Task Interactive_Adfs_DirectAsync()
         {
             var user = await LabResponseHelper.GetUserConfigAsync(KeyVaultSecrets.UserFederated).ConfigureAwait(false);
-            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppPCAClient).ConfigureAwait(false);
+            var app = await LabResponseHelper.GetAppConfigAsync(KeyVaultSecrets.AppAdfsNativeClient).ConfigureAwait(false);
             await RunTestForUserAsync(user, app, true).ConfigureAwait(false);
         }      
 
@@ -216,9 +216,11 @@ private async Task<AuthenticationResult> RunTestForUserAsync(UserConfig user, Ap
             }
             else
             {
+                // Use a dynamic port to avoid conflicts when this test runs in parallel with Interactive_Adfs_DirectAsync,
+                // which also listens on http://localhost:52073. AAD public client apps accept any http://localhost:{port}.
                 pca = PublicClientApplicationBuilder
                     .Create(app.AppId)
-                    .WithRedirectUri("http://localhost:52073")
+                    .WithRedirectUri(SeleniumWebUI.FindFreeLocalhostRedirectUri())
                     .WithAuthority(app.Authority + "common")
                     .WithTestLogging(out factory)
                     .Build();

tests/Microsoft.Identity.Test.Integration.netcore/SeleniumTests/InteractiveFlowTests.NetFwk.cs

@@ -274,7 +274,7 @@ public async Task PopWhithAdfsUserAndBroker_Async()
                 PublicClientApplication pca = pcaBuilder.BuildConcrete();
 
                 TokenCacheHelper.PopulateCache(accessor: pca.UserTokenCacheInternal.Accessor,
-                                               environment: "fs.msidlab8.com");
+                                               environment: "fs.id4slab1.com");
                 TokenCacheHelper.ExpireAllAccessTokens(pca.UserTokenCacheInternal);
 
                 pca.ServiceBundle.Config.BrokerCreatorFunc = (_, _, _) => mockBroker;