Is it possible to setup ADFS 3.0 / 4.0 relying party trusts into one so users have a true SSO experience?

Hi, is there a way to setup ADFS 3.0/4.0 (Windows Server 2012 R2 / Windows Server 2016) so it allows a user to log in once then presents a landing page of all the services (cloud and on-premises) available to that individual based on their group membership or role?  Basically, being a true SSO.


Currently, my ADFS 4.0 (Windows Server 2016) is setup with multiple "relying party trusts", which act individually and requires the user to log into each service separately from a drop-down list.

(Example:  ADFS 4.0 Multiple Relying Party Trust Sign In Page Listing Examples


Just trying to figure how I could remove the drop down listing all together but allow a true SSO experience.


If you need further details to answer my questions, just let me know.


Hopefully, I am making sense.


Any suggestions, recommendations, ideas, links, articles, etc. are much appreciated.


Thanks in advance.
rsnellmanIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rsnellmanIT ManagerAuthor Commented:
Vasil,
Excellent!

So, how would I know what the smart link should be?  Never heard of them.

Because I am thinking of applications/cloud services authentication.

Not just Office365, but Canvas and a few other cloud services, as well as, some on-premises applications to be attached some how.


Thanks.
0
Vasil Michev (MVP)Commented:
Simply use the example I gave above, there is no way for us to know what the RTPs are called on your end. The article explains some of the additional parameters you can use to construct smart links.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

rsnellmanIT ManagerAuthor Commented:
OK.  I think I might be following you...

I read your article, very nice...however, I am a bit confused...


So, the smart link would be my ADFS server Sign-In Page URL?  

In this example https://adfs.contoso.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=rpidentifier what does the "loginToRP=rpidentifier" need to be?  The other end of the link (cloud application)? URL or something?
0
Vasil Michev (MVP)Commented:
It needs to be the identifier of the RPT you have created for the application/URL on your AD FS server. A more advanced version is the RelayState parameter: https://blogs.technet.microsoft.com/askds/2012/09/27/ad-fs-2-0-relaystate/
Or the official documentation here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/jj127245(v=ws.10)
0
rsnellmanIT ManagerAuthor Commented:
Hi, Vasil.  Thank  you for the direction and information.

I understand the RP identifiers as that is easily located in my ADFS Management of the created RPT's.

However, I am still not following the concept of smart links.  Probably just me, but I have a couple of quick questions that might help me clear things up.


Can I have multiple RP=rpidentifiers in a single link (URL)?  

(Example:  https://adfs.contoso.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=rpidentifier,loginToRp=rpidentifierlogin,loginToRp=rpidentifierlogin....etc.)


Or how would I set it up to allow login to multiple RPT's simultaneously or does smart links work another way?


Just not sure I fully understand how smart links work...I read the articles and other articles, but not fully clear on the concept yet.


Thanks.
0
Vasil Michev (MVP)Commented:
It's for single RP only, but you can of course create one smart link for each RP. And then put them in a webpage, as a start page for your broswer, a dropdown menu or any other control you want to present to the users.
0
rsnellmanIT ManagerAuthor Commented:
Vasil,
OK.  I was thinking it was only for a single RP.

So, if I created a smart link for each RPT then had each of those URL's (links) on a single web page with presentable icon links for each service and if the end user logged into one of them, would it allow them to go to the other linked services without authenticating because they already authenticated with a previous service?

Example:
RPT 1 (Smart Link)  =  Cloud Service A
RPT 2 (Smart Link)  =  Cloud Service B
RPT 3 (Smart Link)  =  Cloud Service C
RPT 4 (Smart Link)  =  Cloud Service D


If an end user logs into Cloud Service A from the ADFS login (smart link) page and then is redirected to that cloud service application then decides to navigate to Cloud Service C without logging out of Cloud Service A, would the end user have to authenticate to Cloud Service C too?

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Another idea, could I have a main ADFS login page that once the end user is successfully authenticated is redirected to a web page with all the cloud services (A - D) on it and they could just select which service (cloud application) they would like to access without re-authenticating?

Lastly, if it is possible to set up, if the end user logs into the main ADFS login page and is redirected to a web page with the cloud service applications they have rights to use/access...and the end user selects Cloud Service B then goes to Cloud Service D without logging out of Cloud Service B first then logs out of Cloud Service D, would that essentially kill their other sessions/activity in Cloud Service B too?


Just trying to see the whole picture before I begin laying out the plan and implementing it.


Thanks again.
0
Vasil Michev (MVP)Commented:
That depends on too many factors. In general you log on to the AD FS server once, or even better, you are configured for Seamless SSO so you never actually see a logon prompt. At this point you can select any RPT and get redirected to it, however this doesnt necessarily mean that you will be able to access the app, as there might be additional auth steps involved, or claims rules configured, or requirements imposed on the service provider side. The app might not even support this "IdP-initiated" scenario and you will have to use SP-initiated links. It will also depend on the type of federation configured, the lifetime of the tokens/cookies and whatnot.
0
rsnellmanIT ManagerAuthor Commented:
OK.  Thanks Vasil.  I think I am finally wrapping my head around it all.  It is pretty simple, but can be made complicated by individuals like me.  :-)

I found this and am wondering if I am reading it correctly, which is I can indeed customize the look and feel of each individual RPT login page.
AD FS Customization in Windows Server 2016

Is that how you read that too?


You have been a big help.  I truly appreciate all of your amazing help on this topic.
0
Vasil Michev (MVP)Commented:
Yes, you can customize it per RPT in 2016, but I thought your goal was to have a single page with all of them shown at the same place? In general you should be able to modify the idpinitiatedsignon.aspx directly as well, however changes you make on it will probably be overwritten with the next AD FS patch.
0
rsnellmanIT ManagerAuthor Commented:
Yeah, my ultimate goal would be to "have a single path with all of them shown at the same place", but I am just looking at my other options...plan B in case I cannot accomplish that "ultimate goal" in a reasonable timeline.

So, if I make the each Sign-In Page custom to each RPT then I will need to reapply those changes (i.e. logo, illustration, etc.) after any MS updates pertaining to AD FS in the future?  Or were you just referring to the idpinitiatedsignon.aspx page?


Thanks again for everything.
0
Vasil Michev (MVP)Commented:
The per-RPT customizations should be "safe" with respect to updates.
0
rsnellmanIT ManagerAuthor Commented:
Vasil,
OK.  Thanks for confirming.  

I couldn't have accomplished this in the time crunch required without your assistance.

Those smart links were a life saver.

So, from the bottom of my heart, thank you, thank you, thank you.


Have a great day.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.