locked
ADFS 3.0 - SAML Request Authentication Page RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    We are using ADFS 3.0 for our SSO provider and have been loving it, but have been trying to make it even easier for our users to login. One of the things we have setup is a function in onload.js that uses regex to correctly format their UPN - they can use contoso.local\jdoe, jdoe@contoso.local, jdoe@contoso.com, etc. This work fine when accessing https://adfs.contoso.com/adfs/ls/IdpInitiatedSignon.aspx (for example).

    One issue is that when a Relying Party sends a URL embedded as a SAML request (https://sts.contoso/adfs/ls/?SAMLRequest=someString). If a user clicks the link in Chrome/Firefox, they are brought to the sign in page and can log in just fine. When an IE user clicks the link, they are presented with a Windows Security prompt and all of out onload.js footwork is lost. Is there anyway from disabling the Windows Security prompt from being displayed and forcing people to log in via the SSO webpage?

    Obviously we can set up Intranet Sites for our domain users, but we also want to make the login process easy for remote users who may not have a company machine.

    Any help is appreciated!

    Tuesday, November 10, 2015 7:27 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    What you are running into is ADFS is treating Internet Explorer as enabled for Windows integrated authentication using either Kerberos or NTLM.  The security prompt you are seeing is for NTLM authentication for devices that are either not part of your domain or cannot otherwise automatically authenticate.

    You can configure the user agents that are supported for integrated authentication by configuring the WIASupportedUserAgents service property, as documented at https://technet.microsoft.com/en-us/library/dn727110.aspx.  If you have a mix of domain-joined and non-joined systems within your network, you can also use this property to only allow a custom token for domain-joined systems that you deploy to IE using a registry entry in a Group Policy Preference.  For more information on that, see https://msdn.microsoft.com/en-us/library/ms537503(v=vs.85).aspx.

    If you have remote users, I would also suggest implementing Web Application Proxy systems for access outside your firewall.  WAP and ADFS are designed to work together, with WAP replacing the federation service proxy in previous versions of ADFS.  Using the proxy allows you to customize the authentication behavior so that internal and external access methods do not necessarily need to be the same.

    Tuesday, November 10, 2015 9:35 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    What you are running into is ADFS is treating Internet Explorer as enabled for Windows integrated authentication using either Kerberos or NTLM.  The security prompt you are seeing is for NTLM authentication for devices that are either not part of your domain or cannot otherwise automatically authenticate.

    You can configure the user agents that are supported for integrated authentication by configuring the WIASupportedUserAgents service property, as documented at https://technet.microsoft.com/en-us/library/dn727110.aspx.  If you have a mix of domain-joined and non-joined systems within your network, you can also use this property to only allow a custom token for domain-joined systems that you deploy to IE using a registry entry in a Group Policy Preference.  For more information on that, see https://msdn.microsoft.com/en-us/library/ms537503(v=vs.85).aspx.

    If you have remote users, I would also suggest implementing Web Application Proxy systems for access outside your firewall.  WAP and ADFS are designed to work together, with WAP replacing the federation service proxy in previous versions of ADFS.  Using the proxy allows you to customize the authentication behavior so that internal and external access methods do not necessarily need to be the same.

    Tuesday, November 10, 2015 9:35 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Alex for the information. Geoffrey, please take a look at Alex's reply and see if it is helpful for you.
     
    Just want to remind that we mainly focus on ADDS related questions in current forum, there is not so much about ADFS aspect here. For more professional responses, I'd suggest to post in the dedicated forum below:
     
    https://social.msdn.microsoft.com/Forums/vstudio/en-us/home?forum=Geneva
     
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
     

    Regards,

    Ethan Hua

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, November 11, 2015 7:56 AM