Hello,
We have a problem configuring SSO for ADFS - ADFS - MS CRM.
First - configuration
I have two domains: Domain1, that contains ADFS Server (ADFS1) and Users; Domain2, that contains ADFS Server (ADFS2) and MS CRM Server.
I have configured:
1. MS CRM Server for IFD
2. ADFS Servers to allow users from Domain 1 access MS CRM Server in Domain 2.
All works fine, except the following.
Users always have to enter username and password.
I found out, that the probable reason of this issue in RequestedAuthnContext element in SAML request. See the full SAML request from ADFS2 to ADFS1 below:
<samlp:AuthnRequest AssertionConsumerServiceURL="https://fs.nestle.ru/adfs/ls/"
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
Destination="https://sts.nestle.com/adfs/ls/" ID="id-2174b079-bdd7-48ff-840c-209dd6f14294"
IssueInstant="2017-04-12T08:50:33.000Z" Version="2.0"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://fs.nestle.ru/adfs/services/trust</Issuer><samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
<samlp:RequestedAuthnContext>
<samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</samlp:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
I think that omitting this optional part of SAML request will solve the problem, but I cannot find the way it can be done.
Can anybody help me with it?