The Auth Connector has to be installed (or reinstalled) to enable the SAML options for Auth Connector-as-IDP, and have the IDP certificates generated. And SAML has to be set up.
The promptless capability is provided by Windows Kerberos/NTLM SSO transactions.
Firefox browsers, however, do NOT support Kerberos/NTLM SSO transactions by default. However, you can configure this ability by a Firefox config setting.
How to Enable NTLM SSO in Firefox:
- In Firefox, type: about:config
- Find the section: network.automatic-ntlm-auth.trusted-uris
- Enter URI's (separated by a comma *and* a space) of your Windows Server where the BCCA-as-IDP is running, like:
No further action is needed in Chrome or Internet Explorer (Support for Kerberos/NTLM SSO transactions is on by default).
With Captive Portal for Explicit Proxy, one of the most common hang-ups is to forget to add the IDP’s hostname to be EXCLUDED from Explicit Proxy (being sent to Cloud).
The traffic between the browser and the IDP should NOT go through the Cloud.