locked
Customization of ADFS 3.0 sign in option RRS feed

  • Question

  • Hi,

    I am trying to implement "single sign on" in my web application. When I try to access the application from the browser, I will get the ADFS login page. I can easily track the username and password that given in ADFS login page (Part of security test). Is any option to encrypt the username ,password that send via a post request to ADFS (adfs/ls/) ?

    Thanks

    ranga rb<o:p></o:p>

    Monday, April 3, 2017 4:35 AM

All replies

  • This is standard functionality for forms.

    That's way you need to protect it via https etc.

    Monday, April 3, 2017 6:46 PM
  • Note that if you are using Form Based Authentication, you are not having a Single Sign On.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, April 3, 2017 8:17 PM
  • It's already calling as a https post request. Please see the links given :

    drive.google.com/open?id=0B8Q2WGsM--_qVmF5MDBSMUJ4QlU

    drive.google.com/open?id=0B8Q2WGsM--_qVGh3ajd0TzN4d0U

    Tuesday, April 4, 2017 2:54 AM
  • Well this is the web form for authentication. This is not SSO then. This page is secured with HTTPS. Have a look there as it is a similar thread: https://social.technet.microsoft.com/Forums/windowsserver/en-US/0859d7a4-7ae6-4129-acea-0963839bf622/credentials-are-passed-in-clear-text-hacked-credentials-using-burp-tool-suite?forum=ADFS

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, April 4, 2017 7:07 PM