This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 57.99999999999999%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBA%3C/text%3E%3C/svg%3E)
Based on this article https://learn.microsoft.com/en-us/entra/identity-platform/msal-android-single-sign-on
How to achieve Cross APP SSO with ADFS Account?
I have my environment running full on premise with ADFS 2019, Exchange server 2019 CU 14.
I've already tried the cross app SSO with entra id. But how to achieve it with on premise account with my environment account?
My Goal is to have cross app sso but with adfs account (auto logged in with outlook). I already achieve it with entra id but can't with adfs account.
Is it possible?
A robust email, calendaring, and collaboration platform developed by Microsoft, designed for enterprise-level communication and data management.Miscellaneous topics that do not fit into specific categories.
Federated identity management using Active Directory Federation Services
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @Bayu Aji Setyawan ,
Welcome to the Microsoft Q&A platform!
Yes, it is possible to achieve cross-app Single Sign-On (SSO) with an ADFS account in your on-premises environment. Here is a high-level overview of the configuration steps:
For detailed guidance, you can refer to the Microsoft documentation on enabling cross-app SSO using MSAL.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
Hi @Anonymous
Thank you for your response.
For the ADFS Configuration, I already followed this article (https://learn.microsoft.com/en-us/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019) on my dev env, but skip step 5 because it says optional. Is this enough?
For the MSAL.
{
"type": "AAD",
"audience": {
"type": "AzureADandPersonalMicrosoftAccount",
"tenant_id": "common"
}
}
Let's go through each of your questions one by one:
In the MSAL configuration JSON, you can place the authorization parameters in the authorization array. Here is an example:
{
"client_id":"00001111-aaaa-bbbb-3333-cccc4444"
"authorization_user_agent":"WEBVIEW"
"redirect_uri":"msauth://com.example.myapp/00001111%cccc4444%3D"
"broker_redirect_uri_registered":true,
"account_mode":"SINGLE"
"authorities":[
{
"type":"ADFS"
"authority_url":"https://adfs.mydomain.com/adfs"
}
]
}
You can generate SIGNATURE_HASH as follows:
keytool -exportcert -alias <ALIAS> -keystore <PATH_TO_KEYSTORE> | openssl sha1 -binary | openssl base64
Replace <ALIAS> and <PATH_TO_KEYSTORE> with your actual alias and keystore path.
Hi @Anonymous ,
I got this error from android. I use the single account activity from this sample https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-v2-android/https://github.com/Azure-Samples/ms-identity-android-java
Already tried to remove to remove/disable from callGraphAPI function too but still the same error persist.
This is the error
"com.microsoft.identity.client.exception.MsalClientException: com.microsoft.identity.common.java.authorities.ActiveDirectoryFederationServicesAuthority cannot be cast to com.microsoft.identity.common.java.authorities.AzureActiveDirectoryAuthority"
Notes: I change the real values of my environment with "sensitiveinformation"
Hi @Bayu Aji Setyawan ,
Thanks for your response.
Based on your description, it seems that there is indeed a limitation in using MSAL for Android directly with ADFS. The error you encountered, com.microsoft.identity.client.exception.MsalClientException: com.microsoft.identity.common.java.authorities.ActiveDirectoryFederationServicesAuthority cannot be cast to com.microsoft.identity.common.java.authorities.AzureActiveDirectoryAuthority, indicates that MSAL for Android does not support ADFS as an authority.
Key Points:
According to Microsoft Q&A, MSAL for Android does not directly support ADFS.
The MSAL configuration document also does not list ADFS as a supported authority.
Workaround:
To implement SSO with ADFS, you can use Azure AD as an intermediary. You can set it up as follows:
Here is an example of a MSAL configuration:
{
"client_id": "00001111-aaaa-bbbb-3333-cccc4444",
"authorization_user_agent": "WEBVIEW",
"redirect_uri": "msauth://com.example.myapp/6/aB1cD2eF3gH4iJ5kL6-mN7oP8qR=",
"broker_redirect_uri_registered": true,
"account_mode": "SINGLE",
"authorities": [
{
"type": "AAD",
"authority_url": "https://login.microsoftonline.com/common"
}
]
}
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
Hi @Anonymous ,
Thanks for you reply. Thank you so it's confirmed that ADFS is not supported by MSAL ADFS android.
From this sentence "Configure Azure AD to federate with ADFS". How to do that in my adfs environment?
Hi @Bayu Aji Setyawan ,
Thanks for your response!
To configure Azure AD to federate with your on-premises ADFS, you can follow these steps:
Ensure your ADFS environment is properly set up and running. You should have:
Azure AD Connect is a tool that helps you integrate your on-premises directories with Azure AD. Here’s how to set it up:
For more detailed instructions, you can refer to the following resources:
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
Hi @Anonymous ,
Thank you for your response. I have several question about this.
{
"type": "AAD",
"audience": {
"type": "AzureADandPersonalMicrosoftAccount",
"tenant_id": "common"
}
}
Here are my previous code using
var publicClientApplicationBuilder = PublicClientApplicationBuilder
.Create("MyClientIDFromADFS")
.c("https://adfs.mydomain.com/adfs")
.WithRedirectUri($"msauth://com.test.app/mybase_64_encoded_signature")
.Build();
var authResult = await publicClientApplicationBuilder.AcquireTokenInteractive({"email"})
.WithParentActivityOrWindow(EntraConfig.ParentWindow)
.ExecuteAsync().ConfigureAwait(false);
Debug.WriteLine($"SUCCESS => {authResult.AccessToken}");
Hi @Bayu Aji Setyawan ,
Let me answer your questions one by one:
a. Use the WithBroker() method in the MSAL.NET configuration.
b. Since MSAL.NET does not support direct ADFS authorization, Azure AD should be used as the authorization.
I think the statement you used before is correct.
Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.
Best,
Jake Zhang
Hi @Anonymous ,
Thank you for your reply.
I just wanna clarify 1 things about my third question. "Since MSAL.NET does not support direct ADFS authorization, Azure AD should be used as the authorization".
So whether I using MSAL kotlin/java for android or MSAL.NET/MAUI for android. The cross app SSO will only be achieved if we use entra id/entra connect/azure ad/azure ad connect/cloud/office 365 as authority? It'll not work solely with adfs on premise alone or using adfs as authority?
Btw fyi, I already tried with using MSAL.NET with a function called .WithAdfsAuthority()
And already successfully logged in and get the access token, but still the cross app sso not achieved and there isn't my adfs account on microsoft authenticator. It isn't like when I use WithBroker(), the entra id account is there (microsoft authenticator).
Btw I tried to using .WithBroker().WithAdfsAuthority("https://adfs.mydomain.com/adfs)
But there's error like this ...Broker response returned error: com.microsoft.identity.common.java.authorities.ActiveDirectoryFederationServicesAuthority cannot be cast to com.microsoft.identity.common.java.authorities.AzureActiveDirectoryAuthority...
(I posted it too in stackoverflow if you wanna see the details https://stackoverflow.com/questions/79274026/cant-use-broker-mode-with-adfs-authority)
I think it's the same error like when I use msal java/kotlin but using this json configuration
"authorities":[
{
"type":"ADFS"
"authority_url":"https://adfs.mydomain.com/adfs"
}
]
So yeah, doesn't it means that cross app sso with only adfs as an authority is not possible?
You are correct. Cross-app SSO using only ADFS as an authority is not supported by MSAL for Android or MSAL.NET.
To achieve cross-app SSO, you should use Azure AD Connect to set up federation between your on-premises ADFS and Azure AD.And configure your MSAL applications to use Azure AD as the authority.
Here’s how you can configure MSAL.NET to use Azure AD with broker support:
var publicClientApplicationBuilder = PublicClientApplicationBuilder
.Create("YourClientID")
.WithAuthority("https://login.microsoftonline.com/common")
.WithRedirectUri($"msauth://com.test.app/mybase_64_encoded_signature")
.WithBroker()
.Build();
var authResult = await publicClientApplicationBuilder.AcquireTokenInteractive(new[] { "User.Read" })
.WithParentActivityOrWindow(EntraConfig.ParentWindow)
.ExecuteAsync().ConfigureAwait(false);
Debug.WriteLine($"SUCCESS => {authResult.AccessToken}");
Hi @Bayu Aji Setyawan ,
Please kindly consider this comment as a warm follow up, I want to know if your problem has been solved. If you still have any other questions, please feel free to comment here and I'm glad to provide further support.If the above info is helpful to this question, you can click "Accept Answer". Have a nice day!
Best,
Jake Zhang
Okay thank you for your answer, so its not possible with only using ADFS