Remove From My Forums

Customization of ADFS 3.0 sign in option

Question
0

Sign in to vote

Hi,

I am trying to implement "single sign on" in my web application. When I try to access the application from the browser, I will get the ADFS login page. I can easily track the username and password that given in ADFS login page (Part of security test). Is any option to encrypt the username ,password that send via a post request to ADFS (adfs/ls/) ?

Thanks

ranga rb<o:p></o:p>

Monday, April 3, 2017 4:35 AM

Reply

|

Quote

All replies

0

Sign in to vote

This is standard functionality for forms.

That's way you need to protect it via https etc.

Monday, April 3, 2017 6:46 PM

Reply

|

Quote

Moderator
0

Sign in to vote

Note that if you are using Form Based Authentication, you are not having a Single Sign On.
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Monday, April 3, 2017 8:17 PM

Reply

|

Quote

Owner
0

Sign in to vote

It's already calling as a https post request. Please see the links given :

drive.google.com/open?id=0B8Q2WGsM--_qVmF5MDBSMUJ4QlU

drive.google.com/open?id=0B8Q2WGsM--_qVGh3ajd0TzN4d0U

Tuesday, April 4, 2017 2:54 AM

Reply

|

Quote
0

Sign in to vote

Well this is the web form for authentication. This is not SSO then. This page is secured with HTTPS. Have a look there as it is a similar thread: https://social.technet.microsoft.com/Forums/windowsserver/en-US/0859d7a4-7ae6-4129-acea-0963839bf622/credentials-are-passed-in-clear-text-hacked-credentials-using-burp-tool-suite?forum=ADFS
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Tuesday, April 4, 2017 7:07 PM

Reply

|

Quote

Owner