Hi Team
Appreciate any help
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi All,
As i could understand, when I add laptop as Azure AD joined, SSO works fine for my Hybrid users (PHS enabled) when accessing all Azure resources using PRT/AT token; the following article also says hybrid users gets SSO experiences on AAD joined devices when accessing Applications integrated with OnPrem AD.
https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso
However what would be the hybrid user experience when accessing Applications which are integrated with ADFS or 3rd party Federation provider using SAML federation trust?
Does user need to punch in user name + password or any chance to consume the token provided by Azure AD or Kerb token provided by OnPrem AD
Thank you!
Hi Team
Appreciate any help
Hi @RST ,
Thanks for reaching out.
From AAD join device aspect, ADFS or 3rd party federation servers are considered as an application so when those servers are configured for Windows-Integrated authentication then users seamlessly get SSO when tries accessing application from AAD joined device.
For an example: Lets say, ADFS have configured with Windows Integrated Authentication (WIA) and when user try to access ADFS integrated app through "Azure AD join device" then they seamlessly get SSO as ADFS expect Kerberos token and then the device:
-Sends the on-premises domain information and user credentials to the located DC to get the user authenticated.
Receives a Kerberos Ticket-Granting Ticket (TGT) or NTLM token based on the protocol the on-premises resource or application supports. If the attempt to get the
-Kerberos TGT or NTLM token for the domain fails (related DCLocator timeout can cause a delay), Credential Manager entries are attempted, or the user may receive an authentication popup requesting credentials for the target resource.
Note: On-premises SSO requires line-of-sight communication with your on-premises AD DS domain controllers. If Azure AD joined devices are not connected to your organization's network, a VPN or other network infrastructure is required.
Hope this helps.
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hello @RST ,
Just checking if you have any follow-up question? If above answer helped your query, please don’t forget to click Accept the answer
and Up-Vote
. Thanks.