This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 8%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Hello, we have a 3rd party application that uses SAML 2.0 for SSO, but it requires ADFS. We configured our first ADFS server using one of our 2012 R2 domain controllers. When we go to the 3rd party URL it displays the login screen below...
Is there a way to bypass this screen and have it automatically log the user in using the credentials of the windows session?
Thank you for your help.
It could be one (or a combination) of the followings:
Thank you for your quick response. I followed the steps in the article you provided for reason #2. For reason #1, I assume the screenshots below is what you are referring to:
Unfortunately, I am still getting the ADFS SSO page prompting me for my AD credentials, I will reach out to the 3rd party application provider to see what they can do for me.
What browser are you using? And what is the output of:
Get-AdfsProperties | select -ExpandProperty WiaSupportedUserAgents
Also, to confirm option 3 without having to ask the 3rd party, just copy/paste the URL the users have in their address bar when they see the form. It might be enough info.
We use IE11 and google chrome.
Here is a screenshot of the powershell command results:
From within IE11, the URL that appears when the user sees the form is:
https://ADFS server FQDN/adfs/ls/?SAMLRequest=fZCxboMwEIZfhc0TGCgCagESapZI6ZK0HbpUZ%2BdIUI1Nfabi8QuJqqYdOp70%2Fd%2Fd%2FRXBoEfRTv5s9vgxIfmgJULne2serKFpQHdA99krfN7vanb2fiTBuban3kTzPFOk7MBhEfDVxRVoLUG9s2CzyHoDq%2BkntyQi604cjh1xTZwF203N3rq8lBncYZgnEsMMiyyE%2B1SGIFUmk04lKeYLSjTh1pAH42uWxmkcxmWYFE9JIZJUZOUrC17Q0WVjGsUsmAdtSKyH1WxyRlignoSBAUl4JQ7t404soIDvn28j4%2F%2BZ0VlvldWsqVZaXK5zzZ%2BGBjz207Wkit9y1%2Bl3980X
The SAMREQUEST is fine , it does not specify an authentication method.
IE11 might show up with Mozilla/5.0 user agent string. Run the following on your ADFS server:
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Mozilla/5.0"
And try again.
OK, I added "Mozilla/5.0. I no longer get the SSO sign in page, but this windows security pop-up window comes up:
Entering my AD credentials into this prompt does not allow me to access the 3rd party site.
This is an IE setting. The URL of your ADFS farm need to be either in the Trusted Site List or the Intranet Site List.
All is explained here.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 62%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Hi
Like to double confirm if this solution works for Windows Server 2016 ADFS.
I have referred to many links for automatic windows integrated authentication but they don't seems to get it to work.
Example:
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia
https://hi.service-now.com/kb_view.do?sysparm_article=KB0759249
So just like to clarify how the behavior should be?
I am unable to achieve the "silent" login part from chrome.
To explain,
The client is a domain computer in the ADFS domain.
I have added "https://adfs.example.com" to trusted and intranet zone on client.
I have set ADFS to accept "Mozilla/5.0 (Windows NT)" agent on ADFS server
I have set ADFS to "extendedprotectiontokencheck allow" on ADFS server.
May I know if "silent" (unchallenged visually) login from Chrome browser to the ADFS is possible?
Thanks.
.jpeg){kind=link}
