SSO and windows authentication

SME
Giga Guru

‎08-13-2015 09:01 AM

Hi,

We have enabled multiple provider SSO and done settings in Configuring ADFS 2.0 to Communicate with SAML 2.0 - ServiceNow Wiki this link to do windows authentication.

This is showing the company's login page once to enter AD user name and password. After that it remembers the login credentials and do not show login page after that, it automatically logs in everytime you access SNOW instance.

Is it possible to get rid of the login page even for the first time. I mean when user logs into his desktop/laptop, it takes the login info from there and automatically logs in when he access SNOW instance.

Thanks.

Labels:
0 Helpfuls
  • 9,108 Views
21 REPLIES 21

coryseering
ServiceNow Employee
ServiceNow Employee

‎08-14-2015 10:03 PM

You want users to login with IdP-initiated login:



http://wiki.servicenow.com/index.php?title=Configuring_ADFS_2.0_to_Communicate_with_SAML_2.0#Logging...



However, this requires that the identity provider be set up to have users auto-login without needing to enter their credentials, which is not a configuration in ServiceNow but would be done on the identity provider side.


0 Helpfuls

tony_barratt
ServiceNow Employee
ServiceNow Employee

‎08-16-2015 01:10 AM

Hi Mansi,



When you log in to your workstation in your enterprise you are authenticated by an ADFS server?


In that case you may be able to use the ability to log in behind the scenes without further user input.



Facilitate "Windows-based authentication." as per below Wiki article to see if it works for you.



Best Regards



Tony





Configuring ADFS 2.0 to Communicate with SAML 2.0 - ServiceNow Wiki


..


9 Workaround: Supporting Kerberos Authentication

Currently, the SAML 2 integration uses a PasswordProtectedTransport or "forms-based authentication" authentication context. This authentication context requires the IdP to present users with a form for authentication credentials. With Kerberos, a SAML session is already active through an established Windows login, so the user does not need to authenticate with the IdP.


The following example applies a workaround to the SAML 2.0 integration that changes the authentication context from "forms-based authentication" to "Windows-based authentication."


  1. Navigate to SAML 2 Single Sign-on > Properties.
  2. Search for the following Properties:
    Property: Create an AuthnContextClass request in the AuthnRequest statement. - Set this to "Yes" to force which one you want
    If you Set this to "No" the IdP will decide which is the best.

    Property: The AuthnContextClassRef method that we will be included in our SAML 2.0 AuthnRequest to the Identity Provider:
    Set this to one of the following values:
    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport (Default)
    urn:federation:authentication:windows
  3. Click Update.
0 Helpfuls

tony_barratt
ServiceNow Employee
ServiceNow Employee
In response to tony_barratt

‎08-16-2015 02:34 AM

Also, the browser is a factor, so you could try IE first, others should work as well. Check browser settings, if not working as expected.


0 Helpfuls

SME
Giga Guru
In response to tony_barratt

‎08-17-2015 08:33 AM

Thank you everyone. I have already tried the link you guys have sent. Our ADFS person is saying, you have to login once.


0 Helpfuls