ADFS SSO Primers

AD FSCloud, Office 365
SSO means different things to different people – make sure you’re talking about the same thing (i.e. Single Sign-On, Simple Sign-On or Same Sign-On)
In order to transparently obtain a claim from ADFS the following must be present:
  1. Your browser or client application needs to support WIA and claims
    IE/Edge support WIA out of the box, Firefox can reportedly be configured to support it (Chrome and others possibly as well using the same steps)
  2. Your browser must be talking to the intranet ADFS servers (as talking to the ADFS proxies takes you through forms-based authentication)
    This is frequently done through either a split-brain DNS setup or a network device that routes internal claim requests directly to the internal ADFS servers and external claim requests to the ADFS proxies
  3. Your browser must trust that the ADFS farm is an intranet web site that (the site should be in the Local Intranet sites in Internet Settings)
    Adding a GPO setting to include the ADFS farm name will work, targeting the GPO at the Computer gives the User the flexibility to add any required additional entries as the user settings inherit any sites added at the computer settings level.
  4. You must be logged on to a domain-joined machine as the user you expect SSO to be provided for
    Note that a cached logon doesn’t really count as a proper logon (you’re simply being allowed access to local resources on the workstation based on a previously successful logon)
  5. The Relying Party application should redirect you to the ADFS farm when it detects you are attempting to log on using an account beloging to a domain suffix that their IDP is responsible for
    This should preferably done immediately upon entering the account name when switching focus to the password field, entering the password at the RP side shouldn’t be required at all (f.x. an onFocus event targeting the password field, similar to what does).



Support for Windows Integrated Authentication in Firefox

Configuring Chrome and Firefox for Windows Integrated Authentication

onFocus event

Split-Brain DNS

A faulty split-brain DNS configuration can prevent a seamless SSO sign-in experience

Office 365 Single Sign-On with AD FS 2.0 whitepaper

A federated user is prompted unexpectedly to enter their credentials when they access an Office 365 resource

A federated user is repeatedly prompted for credentials when he or she connects to the AD FS 2.0 service endpoint during Office 365 sign-in

Leave a Reply

Your email address will not be published.