Users get prompted for authentication when using the Symantec Auth Connector as the SAML IdP with Chrome and Firefox browsers. As an administrator, I would like seamless authentication (without the need to re-enter a user’s password) in a corporate network.
The browsers need to be configured to use Kerberos or NTLM authentication
To allow the Kerberos/NTLM transactions, the client browsers must trust the Auth Connector agent. The browser cannot present a cached credential unless the site (the Auth Connector hostname) exists in the local/trusted site zone. You can accomplish this with various methods.
Use group policy to configure browsers to add the Auth Connector hostname to their Local Intranet and Trusted Sites. See Group Policy Reference below
By default, Kerberos support in Firefox is disabled. To enable it, do the following:
Safari works out of the box if a Kerberos ticket was created during the Mac OS and Active Directory integration.
setspn -L DOMAIN\bccaserviceADaccount
setspn -S http/BCCA_FQDN.com DOMAIN\bccaserviceADaccount