![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 40%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
1,304 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
anonymous userBhardwaj-9418, I apologize for the delay in my response. Somehow I missed this thread. Let me try to share the answers for the questions listed above.
1) But how to enable application specific SSO ?
Ans: Application Specific SSO mostly works with apps using OAuth. When an app uses OAuth, mostly it would work on tokens. the two major tokens used are access tokens and refresh tokens. Using the refresh tokens another access token is requested for silently in the background, hence saving the user from logging in again in the middle of his session. Application specific SSO is enabled by default if your OAuth application uses Auth-Code Grant flow, which is a interactive login for users.
2) If the token issued is valid for let's say 1 hour , and user tries to re-launch application after 4 hours. how silent authentication will work, does ADFS will re-issue new token using refresh token if that is still valid.
Ans: If the user has accessed the application now, after logging in, he would be issued with an access token (valid for 1 hr by default) and a refresh token (valid for 14 days and keeps increasing if the refresh token keeps getting used). If the user closes the application/browser session, that session gets destroyed there and if after 4 hours the user again tries to access that same app, he would have to re-authenticate as the refresh token wont work here since the session was destroyed. Refresh token would only work if the session is active and just before the access token expires the code of the app fetches the next access token using the refresh token that rests in the application cache.
3) how the refresh token is created, do we need to enable this also , or it is created by default with session and persistent SSO.
Ans: If you are coding your own application, then you would need to use the MSAL library, which can be used to make the token requests. In that case, nothing special has to be done. But in case you are trying to fetch a token for an OAuth app using http post request, then you would need to add "offline_access" as a value for the scope parameter.
Sample Request: https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize?client_id={client-id}&response_type=code&redirect_uri={redirect-uri}&response_mode=fragment&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&state=12345
4) What changes do we need at ADAL side ? domain-hint/login-hint etc. Could you please point me to some sample application.
Ans: You can check the following sample code. Its of a browser based application using MSAL(since this is the latest library) using Open ID Connect.
You can also check the following URLs:
- https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-overview
- https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Acquiring-tokens-with-authorization-codes-on-web-apps
- https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows
Though these samples are for Azure AD, but these also work for ADFS. For enabling OpenID Connect on ADFS 2016, you can try the steps mentioned in the following article:
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/development/enabling-oauth-confidential-clients-with-ad-fs
Hope this helps. Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 40%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMB%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 24%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)