SAML Auto Login with ADFS (in Intranet)
Steps to enable Auto-logon:
Step 1: In the AD FS server, under Authentication Methods, make sure that Windows Authentication is selected.
Step 2: Run the below powershell query to check if "Chrome" is present in the supported WIA agents:
Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents
If Chrome is not present, then the following query can be run to add chrome to the supported user agents.
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")
Step 3:
In the client machine (user machine), open Internet Options and add your ADFS URL in Local intranet Sites (or under Trusted Sites if your url is in https)
Step 4:
Click on Custom Level... and under User Authentication -> Logon -> choose Automatic Logon with current username and password
Once these settings are saved, your ADFS will directly use your machine credentials when you are in your intranet and when you're connected to the internet, the following popup will be shown, which still can be used to log in to ADFS.
For Firefox an extra setting is required. Go to about:config and search for trusted-uri where your ADFS machine's fully qualified name needs to be added.
Known Issues with Mobile Apps:
After turning on Windows Authentication, mobile apps may not work as their user agents also get matched for Windows Authentication which fails.
Solution:
Since the ADFS user agents accept regular expressions, you may write one that skips Android and iOS agents but allows Laptops and PCs.
Here is an example for reference (the =~ shows that it is a regex understood by ADFS):
=~^((?!Android|iPhone).)*$
To set this, you can run the below command in powershell (make sure to take a backup of existing properties)
Set-AdfsProperties -WIASupportedUserAgents "=~^((?!Android|iPhone).)*$"
New to ADSelfService Plus?
Related Articles
Configuring SAML with ADFS
Step 1: Open the ADFS management application Step 2: Right-click Relying Party trust and choose Add Relying Party Trust. The Add Relying Party Trust Wizard opens. Step 3: Choose Claims Aware and click Start Step 4: Choose Enter data about the relying ...SAML | Multiple Login URLs for SAML Response
Issue: Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL. Fix: The acs_url column in the SAMLSP table can be ...SAML | This Request will not be considered since passing more parameters to server might result in vulnerability issues.
Issue: After upgrade, customer might usually face this issue during SAML login: Trace: [14:14:03:012]|[10-02-2023]|[com.manageengine.mdh.MDHSettings]|[INFO]|[57303]: Service desk instance ID not found in Cookie| ...Common SAML Config Workarounds: same entity ID in prod, test; hide "Logout from SAML"
1. Prod and Test have same entity ID: When restoring backup from production instance to create a test instance, the entity ID and and the redirect URL are same as the one in the production instance and we are not able to configure SAML in the test ...SAML | Configure KeyCloak as IDP
Setting up KeyCloak Download KeyCloak from their official website (Used v25 here). Open conf/keycloak.conf and enter the hostname Run sh kc.sh start-dev Create a user and login at http://localhost:8080 Setting up the IDP: To enable logging, go to ...