Share via

ADFS : SSO with Windows session

FXE 516 Reputation points
2021-05-17T15:45:36.45+00:00

Hi all,

I'm searching for a solution to connect an external application capturing Windows session.
We have an ADFS 2019.

Today, we are able to connect to this application but we have to login to ADFS before access it, and I want to bypass this step if possible.
Application access will only be from internal network.

Thank you !
Regards,

Microsoft Security | Active Directory Federation Services
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee
    2021-05-17T19:13:35.037+00:00

    SSO configuration are described here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia#configuring-wia-for-chrome

    In a nutshell, you need to make sure that:

    1. Your browser is configured to accept Windows Integrated Authentication for the ADFS URL (that might mean that you need to add the URL to some trusted zone security settings) - that's not specific to ADFS by the way, that's for all website on which you want to us WIA.
    2. Your ADFS is configured to accept your browser for SSO (that's the link I copied earlier). That's with the WIASupportedUserAgents parameter.
    3. Your authentication policy is allowing WIA (and the application not forcing Form Based Authentication).
    1 person found this answer helpful.
  2. FXE 516 Reputation points
    2021-05-17T20:50:27.037+00:00

    @Pierre Audonnet - MSFT : I found a post from you about that here : https://learn.microsoft.com/en-us/answers/questions/100097/sso-support-for-edge-chromium-based-with-adfs-30.html

    Following that, now I have this ADFS configuration : 

    Get-AdfsProperties | select -ExpandProperty WiaSupportedUserAgents  
MSAuthHost/1.0/In-Domain  
MSIE 6.0  
MSIE 7.0  
MSIE 8.0  
MSIE 9.0  
MSIE 10.0  
Trident/7.0  
MSIPC  
Windows Rights Management Client  
MS_WorkFoldersClient  
=~Windows\s*NT.*Edg.*

    From that, I'm not landing on ADFS login page anymore, and Edge prompts for credentials. I guess to be on the good way.
    But SSO still doesn't work.

    Any idea please ?
    Thank you.

    Regards,

  3. FXE 516 Reputation points
    2021-05-17T21:04:47.2+00:00

    Sorry I missed to say you I have already added our ADFS URL in Intranet zone.

    Regards,

    0 comments
  4. FXE 516 Reputation points
    2021-05-17T21:07:31.367+00:00

    Hmm... I've just tested to copy ADSF generated URL to IE, and it seems to work without credentials prompt.

    Probably due to MS Edge / ADFS misconfiguration ?

    I found various syntaxes for ADFS to work with MS Edge : "=~Windows\s*NT.Edg.", "=~Windows\sNT./Edg, "=~Windows\sNT.*Edg", ...

    Is there a real good syntax ?

    0 comments
  5. FXE 516 Reputation points
    2021-05-17T22:55:38.227+00:00

    You talk about a trace from events logs / ADFS Tracing ?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.