SAML Auto Login with ADFS (in Intranet)

SAML Auto Login with ADFS (in Intranet)

Steps to enable Auto-logon:

Step 1: In the AD FS server, under Authentication Methods, make sure that Windows Authentication is selected.




Step 2: Run the below powershell query to check if "Chrome" is present in the supported WIA agents:
Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents


If Chrome is not present, then the following query can be run to add chrome to the supported user agents.
Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome")

Step 3:
In the client machine (user machine), open Internet Options and add your ADFS URL in Local intranet Sites (or under Trusted Sites if your url is in https)


Step 4:
Click on Custom Level... and under User Authentication -> Logon -> choose Automatic Logon with current username and password


Once these settings are saved, your ADFS will directly use your machine credentials when you are in your intranet and when you're connected to the internet, the following popup will be shown, which still can be used to log in to ADFS.


For Firefox an extra setting is required. Go to about:config and search for trusted-uri where your ADFS machine's fully qualified name needs to be added.




Known Issues with Mobile Apps:

After turning on Windows Authentication, mobile apps may not work as their user agents also get matched for Windows Authentication which fails.

Solution:
Since the ADFS user agents accept regular expressions, you may write one that skips Android and iOS agents but allows Laptops and PCs.
Here is an example for reference (the =~ shows that it is a regex understood by ADFS):
=~^((?!Android|iPhone).)*$
To set this, you can run the below command in powershell (make sure to take a backup of existing properties)
Set-AdfsProperties -WIASupportedUserAgents "=~^((?!Android|iPhone).)*$"




        New to ADManager Plus?

          New to ADSelfService Plus?

            • Related Articles

            • SAML | Multiple Login URLs for SAML Response

              Issue: Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL. Fix: The acs_url column in the SAMLSP table can be ...
            • How to get SAML tracer output for a SAML based login-attempt?

              You can use your favourite SAML tracer browser plugin. Here we used SAML-tracer in a chromium-based browser. To provide us with SAML tracer output of SAML login attempt, please follow the steps below. 1. Go to SDP's login screen and click on SAML ...
            • 9205662 - Debug jar : SAML Dynamic User Addition

              Issue: SAML login with existing user works, But Error while dynamic user addition. Debug: Additional prints will be printed in the serverout. Steps to get the Debug logs: Download the attached 14500_9205662_SAML_DYNAMIC_USER_ADDITION_DEBUG.fjar file ...
            • Login diectly with SAML / Query to enable AD or Local Auth when there is an issue with SAML

              Issue: When users have AD and/or local authentication enabled along with SAML, the login page is shown when a link from an email is clicked and users need to click "Login with SAML" again. Workaround 1: You can bookmark, <sdp_url>/SamlRequestServlet ...
            • Auto select the domain name in the login page

              Domains of a user can be auto filled during login. This can be achieved by searching for the domain names associated with the provided username in the login page. Say, username 'vembu' exists in only one domain 'Zoho'. So, when we enter the username ...