SSO and windows authentication

SME · ‎08-13-2015

Hi,

We have enabled multiple provider SSO and done settings in Configuring ADFS 2.0 to Communicate with SAML 2.0 - ServiceNow Wiki this link to do windows authentication.

This is showing the company's login page once to enter AD user name and password. After that it remembers the login credentials and do not show login page after that, it automatically logs in everytime you access SNOW instance.

Is it possible to get rid of the login page even for the first time. I mean when user logs into his desktop/laptop, it takes the login info from there and automatically logs in when he access SNOW instance.

Thanks.

Ivan Prikhodko · ‎02-16-2016

Dear David,

could you please explain int a bit more details how should instance be configured in order to redirect users immediately to ADFS ?

I'm wondering this because we have configured everything on ADFS side, and enable external authentication in Multiple SSO plugin properties, but in order to be redirected to ADSF for collecting a credentials, users need to choose "External authentication" link first, then, input their e-mail address, and only after that ADFS login page appears.

Your help on this matter is highly appreciated.

bernard6 · ‎02-16-2016

Hi Ivan,

If you only have 1 identity provider configured you can configure the primary Idp property. This will automatically redirect users to that Idp (your ADFS) when configured. If you have multiple Idp's configured you cannot configure this property, as users from another Idp would not be able to login.

Multiple Provider Single Sign-On - ServiceNow Wiki

See section 3.2.1

Thanks,

David

Ivan Prikhodko · ‎02-17-2016

Dear David,

indeed, when I added glide.authenticate.sso.redirect.idp as a new system property which pointed to my single idp provider, it is redirecting all unauthenticated users to idp and depending on AuthnContextClassRef method values I can now achieve LDAP authentication by login and password, or Kerberos SSO without additional authentication request. Thank you very much for helping!

The other thing I also would like to confirm - that Kerberos uathentication is working fine with IE and IDP URL added into trusted zone. Question I have is that do you know about some possible way to achieve the same transparency using any other browser: Chrome, Mozilla, Opera ?

Cheers!

bernard6 · ‎02-18-2016

Hi Ivan,

Glad that helped. Other browsers don't support the EAP features of Windows. You can turn off this feature in ADFS, which should allow native Windows authentication with the other browsers. Turning this off leaves ADFS more vulnerable to man in the middle attacks.

Here's the documentation for turning this feature off:

Configuring Advanced Options for AD FS 2.0

Best regards,

David

tony_barratt · ‎04-26-2016

Hi David,

There is quite an interesting EAP link here, relating to an issue using Fiddler:

http://social.technet.microsoft.com/wiki/contents/articles/1426.ad-fs-2-0-continuously-prompted-for-...

AD FS 2.0: Continuously Prompted for Credentials While Using Fiddler Web Debugger

Symptoms

When using Fiddler Web Debugger to troubleshoot an AD FS 2.0 scenario, you are continuously prompted for credentials by the AD FS 2.0 Federation Server. This prompt comes in the form of a HTTP 401 challenge dialog box.

Cause

By default, AD FS 2.0 utilizes Extended Protection for Authentication (EPA) in IIS. When this is turned on, the client browser cannot successfully authenticate while Fiddler is proxying all requests.

Best Regards

Tony