SSO with OnPrem Apps on Azure AD Joined devices

RST 86 Reputation points
2021-06-01T09:34:10.243+00:00

Hi All,

As i could understand, when I add laptop as Azure AD joined, SSO works fine for my Hybrid users (PHS enabled) when accessing all Azure resources using PRT/AT token; the following article also says hybrid users gets SSO experiences on AAD joined devices when accessing Applications integrated with OnPrem AD.

https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso

However what would be the hybrid user experience when accessing Applications which are integrated with ADFS or 3rd party Federation provider using SAML federation trust?

Does user need to punch in user name + password or any chance to consume the token provided by Azure AD or Kerb token provided by OnPrem AD

Thank you!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,364 questions
{count} votes

3 answers

Sort by: Most helpful
  1. RST 86 Reputation points
    2021-06-02T05:38:46.603+00:00

    Hi Team

    Appreciate any help

    0 comments No comments

  2. Siva-kumar-selvaraj 15,631 Reputation points
    2021-06-02T17:28:36.03+00:00

    Hi @RST ,

    Thanks for reaching out.

    From AAD join device aspect, ADFS or 3rd party federation servers are considered as an application so when those servers are configured for Windows-Integrated authentication then users seamlessly get SSO when tries accessing application from AAD joined device.

    For an example: Lets say, ADFS have configured with Windows Integrated Authentication (WIA) and when user try to access ADFS integrated app through "Azure AD join device" then they seamlessly get SSO as ADFS expect Kerberos token and then the device:

    -Sends the on-premises domain information and user credentials to the located DC to get the user authenticated.
    Receives a Kerberos Ticket-Granting Ticket (TGT) or NTLM token based on the protocol the on-premises resource or application supports. If the attempt to get the

    -Kerberos TGT or NTLM token for the domain fails (related DCLocator timeout can cause a delay), Credential Manager entries are attempted, or the user may receive an authentication popup requesting credentials for the target resource.

    Note: On-premises SSO requires line-of-sight communication with your on-premises AD DS domain controllers. If Azure AD joined devices are not connected to your organization's network, a VPN or other network infrastructure is required.

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  3. Siva-kumar-selvaraj 15,631 Reputation points
    2021-06-18T09:07:52.057+00:00

    Hello @RST ,

    Just checking if you have any follow-up question? If above answer helped your query, please don’t forget to click Accept the answer and Up-Vote . Thanks.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.