(Source: VIP integration guide for Microsoft AD FS)
If the link is missing, check the following VIP out-of-band (OOB) requirements with the ADFS integration:
- The user in Active Directory has values for email, telephone, and/or mobile attributes that are fetched during an out-of-band authentication.
- The VIP SSP IdP service is up and running and is accessible from the user's computer. (This can be tested by copying the idpURL into a browser)
- The AD FS VIP certificate is added in SSP IdP under the Trusted Access Setting configuration. This is the same certificate used on the AD FS server(s) by the VIP plugin.
- The time difference between the AD FS server and the SSP IdP server is no more than 60 seconds.
- On the VIP Enterprise Gateway:
- On the User Store tab, click Edit on the relevant User Store.
- On the Select Attribute field of the Search Criteria tab, ensure that one or more attribute is selected (Email, SMS, and/or Voice)
- In the End User Access Settings sub-tab of the Identity Providers tab, set Enable Automatic Distribution to Yes.
- If the login ID and the Cloud ID are not the same, ensure that the Cloud ID is part of the User Store filter in the VIP Enterprise Gateway User Store settings.
Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' https://userservices.vip.symantec.com 'unsafe-inline' unsafe-eval' script-src; img-src 'self' data:; "
- User cannot be locked in AD or in VIP Manager.
Note: If the OOB request reaches the Enterprise Gateway, a SAML assertion is sent to AD by the SSP IdP. The PHONE, MOBILE_PHONE, and/or EMAIL attributes are returned in the response to the EGW, then back to the browser. The VIP SSP service.log (in debug mode) will show this transaction flow if successful. If the request is received by the client, the browser F12 console debug logs show 1) the outgoing request (i.e.,