Promptless authentication does not work for Firefox/Chrome using SAML and ADFS 3.0

book

Article ID: 171452

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

You are using SAML with ADFS 3.0 as the IDP and setting up promptless authentication (Single Sign-On) for your browsers, but it only works for Internet Explorer. Additionally, you have already set up Firefox and Chrome to trust the IDP's URL, as described in here and here.

Cause

ADFS, by default, restricts the ability to perform Single Sign-ON to Internet Explorer only. You must change your ADFS configuration in order to allow more browsers to have that ability as well.

Resolution

1. In your ADFS console, confirm that the browser headers are not present. Run the command.

Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents

2. You will now see a list of all browser user agents supported.

browser

3. The ones you need to look out for are Chrome and Mozilla 5.0. Unfortunately, you cannot just add the two needed. The command you need to run adds all the present ones and the new ones.

Set-AdfsProperties –WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain","MSIE 6.0","MSIE 7.0","MSIE 8.0","MSIE 9.0","MSIE 10.0","Trident/7.0", "MSIPC","Windows Rights Management Client","Mozilla/5.0","Chrome/41.0.2228.0")

4. Now run once again

Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents

and check that Mozilla/5.0 and Chrome/41.0.2228.0 have been added to the list.

5. Restart the service

net stop adfssrv
net start adfssrv

6. Test Single Sign-On on Firefox and Chrome.