locked
ADFS Federated SSO RRS feed

  • Question

  • Hello,

    We have a problem configuring SSO for ADFS - ADFS - MS CRM.

    First - configuration

    I have two domains: Domain1, that contains ADFS Server (ADFS1) and Users; Domain2, that contains ADFS Server (ADFS2) and MS CRM Server.

    I have configured:

    1. MS CRM Server for IFD

    2. ADFS Servers to allow users from Domain 1 access MS CRM Server in Domain 2.

    All works fine, except the following.

    Users always have to enter username and password.

    I found out, that the probable reason of this issue in RequestedAuthnContext element in SAML request. See the full SAML request from ADFS2 to ADFS1 below:

    <samlp:AuthnRequest AssertionConsumerServiceURL="https://fs.nestle.ru/adfs/ls/"
        Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
        Destination="https://sts.nestle.com/adfs/ls/" ID="id-2174b079-bdd7-48ff-840c-209dd6f14294"
        IssueInstant="2017-04-12T08:50:33.000Z" Version="2.0"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
        <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://fs.nestle.ru/adfs/services/trust</Issuer><samlp:NameIDPolicy AllowCreate="true"
            Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
        <samlp:RequestedAuthnContext>
            <samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</samlp:AuthnContextClassRef>
        </samlp:RequestedAuthnContext>
    </samlp:AuthnRequest>

    I think that omitting this optional part of SAML request will solve the problem, but I cannot find the way it can be done.

    Can anybody help me with it?

    Wednesday, April 12, 2017 2:02 PM