ADFS 3.0 - Configure Persistent Single Sign-On RRS feed

  • Question

  • Hello,

    I'm currently trying to enable persistent SSO for Office 365 users to access SharePoint Online with our ADFS v3.0 platform.

    I've used the technet article : https://technet.microsoft.com/en-us/library/mt148493.aspx but I'm in particular case because we used F5 APM appliance as ADFS Proxy. So, the claim "insidecorporatenetwork" is always set to "true".

    I think to use another claim "x-ms-client-ip" which could have two IP address:

    • if the conection come from internal network, it got the IP address : (our internal loadbalancer)
    • if the conection come from externalnetwork, it got the IP address : (the F5 appliance)

    So, i'm looking for a rule that deliver a PSSO cookie only when the client IP (x-ms-client-ip) is equal to

    I'm trying to modify the rule "Pass through claim - InsideCorporateNetwork" by :

    @RuleName = "Pass through claim - InsideCorporateNetwork"

    c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip", Value =~ "(^10\.3\.224\.17)"] => issue(claim = c);

    and after, use the rule :

    @RuleName = "Pass Through Claim - Psso"
    c:[Type == "http://schemas.microsoft.com/2014/03/psso"]
    => issue(claim = c);

    with no success :(

    I'm trying several other regex but no more chance.

    Can someone help me ?

    thanks !

    • Edited by Vinc_FR Wednesday, April 20, 2016 11:51 AM
    Wednesday, April 20, 2016 11:29 AM

All replies

  • What you have here is two separate rules with no connection between them. The psso claim will always be created.

    You need something like:

    c:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip", Value =~ "(^10\.3\.224\.17)"]
    => issue(Type = “http://schemas.microsoft.com/2014/03/psso”, Value = "?");

    I have no idea what the value is supposed to be though hence the "?".

    Wednesday, April 20, 2016 6:55 PM
  • Hello,

    Thanks for your answer but it's seems to be not true.

    In fact, actually, the psso claim is never created.

    If you read the technet article : https://technet.microsoft.com/en-us/library/mt148493.aspx the psso claim in created only when the claim InsideCorporateNetwork has its value equal to true.

    My problem is that with my ADFS infrastructure, this claim is always set to true.

    I've made a call to the MS support.


    Thursday, April 21, 2016 1:27 PM
  • Have you enabled the Persistent SSO like it is mentioned in the article you're referring to? 




    Enable/disable persistent SSO

    Set-AdfsProperties –EnablePersistentSso <Boolean>

    Persistent SSO is enabled by default. If it is disabled, no PSSO cookie will be written.

    Enable/disable “keep me signed in”

    Set-AdfsProperties –EnableKmsi <Boolean>

    “Keep me signed in” feature is disabled by default. If it is enabled, end user will see a “keep me signed in” choice on AD FS sign-in page.

    Persistent SSO lifetime for registered device

    Set-AdfsProperties -PersistentSsoLifetimeMins <Int32>

    This setting controls the lifetime of persistent SSO cookie written for registered device. The lifetime is 7 days by default. Persistent SSO cookie written as a result of “keep me signed in” has a different lifetime setting as shown below.

    Persistent SSO lifetime for KMSI

    Set-AdfsProperties –KmsiLifetimeMins <Int32>

    The default value is 1440 mins.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, January 7, 2017 6:36 PM