locked
SSO in ADFS RRS feed

  • Question

  • hi,

    I have few Relying party trusts added to ADFS server for SSO. This is SP initiated. Users are sucessfully able to login into the applications. The problem is-"after a limited time period user is asked for credentials".  I want it to be a perfect SSO where once logged in user should be asked to enter credentials even if the browser is closed.

    Thanks in advance.


    Nidhi sharma


    Wednesday, July 5, 2017 10:31 AM

All replies

  • You mean you want the user not to re-authenticate when it closes its browser?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, July 5, 2017 1:05 PM
  • Yes. I don't want user to be reauthenticated.

    Nidhi sharma

    Wednesday, July 5, 2017 3:35 PM
  • They you are not really looking at SSO. SSO would assume that the user never has to enter its credential in the first place.

    Here it seems that you are looking at Form Based Auth. You don't have to. You can use Windows SSO as long as your machines are domain joined. But well, if you want the user to use the Form Based Authentication and have a persistent session, you can enable the KMSI option:

    Set-AdfsProperties -EnableKmsi $true

    Then they will have a check box to tick to make sure their session persist even after they close their browser.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, July 5, 2017 4:00 PM
  • Ok... But my machines are domain joined. Itz completely ok even if the user is not prompted for credentials even once. How can we do that?


    Nidhi sharma


    Wednesday, July 5, 2017 4:54 PM
  • Confused?

    The whole point of SSO is that the user only ever authenticates once.

    You don't want SSO and you don't want the user to authenticate?

    So why are you using ADFS in the first place?

    Wednesday, July 5, 2017 6:49 PM
  • Yea.. M getting confused.

    Actually, I want to reduce the no. of times user is prompted for credentials. After they are logged in once they should not be asked again for credentials.


    Nidhi sharma

    Thursday, July 6, 2017 1:52 PM
  • Then make sure you add the address of your ADFS farm in the Trusted Site List or Intranet Site list of Internet Explorer. If you do not use IE, this is documented here: https://docs.microsoft.com/en-ca/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, July 6, 2017 2:03 PM
  • Hi Pierre,

    I have added it to the intranet site and stille issue remains the same. It still prompts me for credentials. can we do something about it. It is really urgent.


    Nidhi sharma

    Friday, July 7, 2017 5:28 PM
  • Make sure that you are using:

    1. a domain joined machine (right click on Computer Explorer and look at system info)
    2. signed-in with a domain user (whoami in command prompt)
    3. the FQDN of the farm is resolve to the IP address of your ADFS farm (not proxies) - ping FQDN
    4. make sure the FQDN of the farm (not the server) is added to the Intranet Site list (and that the security settings of this zone is reset to default)
    5. make sure your authentication policy is set to do Windows Integrated Auth

    Send us a screen shot of each steps and we'll see what's wrong.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, July 7, 2017 9:18 PM