(Source: VIP integration guide for Microsoft AD FS)
If the link is missing, check the following VIP out-of-band (OOB) requirements with the ADFS integration:
- The user in Active Directory has values for email, telephone, and/or mobile attributes that are fetched during an out-of-band authentication.
- The VIP SSP IdP service is up and running and is accessible from the user's computer. (This can be tested by copying the idpURL into a browser)
- The AD FS VIP certificate is added in SSP IdP under the Trusted Access Setting configuration. This is the same certificate used on the AD FS server(s) by the VIP plugin.
- The time difference between the AD FS server and the SSP IdP server is no more than 60 seconds.
- On the VIP Enterprise Gateway:
- On the User Store tab, click Edit on the relevant User Store.
- On the Select Attribute field of the Search Criteria tab, ensure that one or more attribute is selected (Email, SMS, and/or Voice)
- In the End User Access Settings sub-tab of the Identity Providers tab, set Enable Automatic Distribution to Yes.
- If the login ID and the Cloud ID are not the same, ensure that the Cloud ID is part of the User Store filter in the VIP Enterprise Gateway User Store settings.
- Test direct access to the IdP URL in the JavaScript from a browser. For example, the IdP URL is highlighted in yellow:
<script type="text/javascript" src="https://userservices.vip.symantec.com/vipuserservices/resources/js/v_1_0/vip?appId=8802758888&idpURL=https://vipsspidp.com:8233/vipssp/trustedserviceaccess&autoIntegration=manual"></script>
- With Windows Server 2019, Microsoft introduced content security policies to prevent accidental execution of malicious content. For the VIP JavaScript to integrate with AD FS on Windows Server 2019, you must modify the content security policy header to allow the User Services URL (https://userservices.vip.symantec.com). To do this: run the following command on your AD FS server:
Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' https://userservices.vip.symantec.com 'unsafe-inline' unsafe-eval' script-src; img-src 'self' data:; "
- User cannot be locked in AD or in VIP Manager.
Note: If the OOB request reaches the Enterprise Gateway, a SAML assertion is sent to AD by the SSP IdP. The PHONE, MOBILE_PHONE, and/or EMAIL attributes are returned in the response to the EGW, then back to the browser. The VIP SSP service.log (in debug mode) will show this transaction flow if successful. If the request is received by the client, the browser F12 console debug logs show 1) the outgoing request (i.e., Fetching OOB Options from SSP), and 2) the response received (i.e., .Message received. Type: [sspSession])