ADFS Woes
We have implemented ADFS for a few federated cloud services. It works great internally. Our federated partner sites log users in seamlessly as expected, without requiring a username or password. It passes the user directly into his or her online profile. Flawless.
However, the experience breaks down a bit when logging into the same services externally. Instead, in order for the user to sign in, I have to disable "automatic login" for trusted/intranet sites and instead select "prompt for username and password."
Is there anyone out there with more ADFS savvy than I, who can tell me if transparent login can be configured for a domain-joined laptop that is being used remotely to access federated resources? Or will my laptop users be forced to disable automatic login so they can work remotely?
Does anybody have any suggestions for how to tackle this issue? Right now, I've basically had to force laptop users to enter their username and password to access these sites, even inside the office, so their access also works outside. Since I'm very new to ADFS, I'm not sure if a cached network login on a remote domain-joined laptop will be able to authenticate as it does when on the domain. Evidence certainly doesn't point to the contrary at this point.
Help!
However, the experience breaks down a bit when logging into the same services externally. Instead, in order for the user to sign in, I have to disable "automatic login" for trusted/intranet sites and instead select "prompt for username and password."
Is there anyone out there with more ADFS savvy than I, who can tell me if transparent login can be configured for a domain-joined laptop that is being used remotely to access federated resources? Or will my laptop users be forced to disable automatic login so they can work remotely?
Does anybody have any suggestions for how to tackle this issue? Right now, I've basically had to force laptop users to enter their username and password to access these sites, even inside the office, so their access also works outside. Since I'm very new to ADFS, I'm not sure if a cached network login on a remote domain-joined laptop will be able to authenticate as it does when on the domain. Evidence certainly doesn't point to the contrary at this point.
Help!
ASKER
I can live with users who are remote having to enter their username and password. However, when those users come to the office, I would like them to not be required to do that. I haven't quite figured out how to accomplish this... the option "Automatic login only in Intranet zone" seems to imply exactly what I'm trying to do. That said, when that setting is enabled, automatic login works when on the local network, but user gets "page cannot be displayed" when NOT on the local network. When "prompt for username and password" is enabled, it works both inside and outside the office, but requires a user to do that in both scenarios.
What am I missing??
What am I missing??
Are your internal domain and your external domain names the same, or are they different?
eg: contoso.com versus contoso.corp
Also, what OS version and IE version are your clients running?
Have you installed and tested the Microsoft Online Services SIgn-In Assistant?
If they are NOT running Office 2013, (Office 2013 does not require this to be done, only 2010 and lower require it), I would suggest that you run the Office 365 desktop setup to configure the desktop applications and install required updates, which also updates the Microsoft Online Services Sign-In Assistance installation package. If Microsoft Online Services Sign-In Assistant hasn’t been installed, during running the Office 365 desktop setup, it will be installed accordingly.
To run the Office 365 desktop setup, sign into Office 365 portal (https://portal.microsoftonline.com/) with the Office 365 ID, and then click the upper-right corner Settings>Office 365 Settings>Software>desktop setup>set up.
Hope this helps,
Jonathan
eg: contoso.com versus contoso.corp
Also, what OS version and IE version are your clients running?
Have you installed and tested the Microsoft Online Services SIgn-In Assistant?
If they are NOT running Office 2013, (Office 2013 does not require this to be done, only 2010 and lower require it), I would suggest that you run the Office 365 desktop setup to configure the desktop applications and install required updates, which also updates the Microsoft Online Services Sign-In Assistance installation package. If Microsoft Online Services Sign-In Assistant hasn’t been installed, during running the Office 365 desktop setup, it will be installed accordingly.
To run the Office 365 desktop setup, sign into Office 365 portal (https://portal.microsoftonline.com/) with the Office 365 ID, and then click the upper-right corner Settings>Office 365 Settings>Software>desktop setup>set up.
Hope this helps,
Jonathan
ASKER
We have differing internal and external domains. This is not for Office 365, but other third-party services (Mimecast, ShareFile, and Net Documents are the main ones).
understood. It is sounding like a client side issue, (Internet Explorer security settings. By the way - what version are you using? or are you trying to use a different browser?)
I'm betting you have, but I'm gonna ask anyway - have you followed the guidance in these articles? The one for Citrix explicitly states that the authentication should be silent. (very end of the document)
Mimecast - Enable ADFS SAML Single Sign-On Authentication
Citrix - Configure ShareFile Single Sign-On with ADFS
NetDocuments Federated Identity Deployment Guide
Hope this helps,
Jonathan
I'm betting you have, but I'm gonna ask anyway - have you followed the guidance in these articles? The one for Citrix explicitly states that the authentication should be silent. (very end of the document)
Mimecast - Enable ADFS SAML Single Sign-On Authentication
Citrix - Configure ShareFile Single Sign-On with ADFS
NetDocuments Federated Identity Deployment Guide
Hope this helps,
Jonathan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
good post footech. My original post stated the assumption that a proxy was in play, but I never came out and point blank asked the question.
If a proxy is not in play, or if the proxy is misconfigured, then that would explain the issue as well.
Thanks for adding that info, its good stuff.
Jonathan
If a proxy is not in play, or if the proxy is misconfigured, then that would explain the issue as well.
Thanks for adding that info, its good stuff.
Jonathan
ASKER
Thanks for the explanation. This solved my problem! Much appreciated.
The short answer is no, not really....however, it kinda depends....so....maybe.
When connecting over the Internet, you're hitting a Proxy, not your ADFS servers directly (assuming your configuration is setup properly). BY DEFAULT the Proxy uses FBA, which means the user will have to login interactively.
However....it is possible to setup TLS, but this is an all or nothing proposition, and introduces complexity. ALL of your users will have to have the correct certificate on their machine....but if they have more than one cert in their store they will be prompted to choose the correct cert.
You could have your user use VPN or DirectAccess to connect as though you are internal, but then that defeats the purpose of having a Proxy in front of ADFS, and introduces a step, which likely would require authentication.....so why do it if you have to authenticate anyway?
Here's a Microsoft blog that goes into WAY more detail. To be honest I don't know anything more about the TLS setup for ADFS because I've never done it. I don't need to, and my users are fine with logging in when they are outside the network.
TechNet Blogs - More information about SSO experience when authenticating via ADFS
Hope this helps,
Jonathan