ADFS SSO and Passthrough Authentication (SAML Multifactor Authentication)

darreneverett · ‎08-07-2017

G'Day fantastic people.

So I have done a few implementations with customers establishing SSO via the customers ADFS and the ServiceNow SAML connection.

And what happens is:

1. If customer is on internal customer network, browsing to instance takes them straight to the instance, because their network email is the same as in SN;

2. If customer is remote (ie Not on network), then they are presented with the ADFS Sign in Page, where they select what they want to connect to, being name of instance, followed by their network credentials. Hit Ok and they are into their instance.

This is all great.

However, this time, no matter what I try, the customer will ALWAYS ends up at the ADFS login page. They can select instance, pop in some credentials (network), and they are in. But for users on the internal network, I want this to bypass the ADFS screen and assuming their emails match, let them in.

I have used the URL that allows me to hard code the service I want to go to, that's fine.... albeit it still asked me to login at the ADFS page even if I'm already logged into the network.

[Here is the URL for reference ... https://samportal.example.com/adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://company.service-n... (of course, with values changed)]

The only thing I can see different is that the customer is using ADFS 3.0, and the others ADFS 2.0.

Any ideas out there? Thanks in advance.

mohamadcharafed · ‎08-09-2017

Hi Darren,

I assume its a new ADFS server. Did you check the Authentication Policy ? Image is attached :

If thats already set, you can force the Windows Auth by ticking the "Create an AuthnContextClass" property and setting "AuthnContextClassRef method" to "urn:federation:authentication:windows".

View solution in original post

mohamadcharafed · ‎08-09-2017

Hi Darren,

I assume its a new ADFS server. Did you check the Authentication Policy ? Image is attached :

If thats already set, you can force the Windows Auth by ticking the "Create an AuthnContextClass" property and setting "AuthnContextClassRef method" to "urn:federation:authentication:windows".

darreneverett · ‎08-09-2017

Hi Mohamad

Perfect. we found this issue this morning. They had nothing selected for Intranet. After checking Windows Authentication, all is now working.

Many thanks for confirming.

na93 · ‎10-31-2017

Can someone confirm what should exactly be ticked on the ADFS authentication policy side of things? We are currently trying to get SSO working with ADFS and are having issues, this is our current set up.

Should forms Authentication on Intranet and 'Enable Device Authentication' be both ticked?

mohamadcharafed · ‎10-31-2017

Hi Nabeel,

Yes you Tick this Box. You said your having issues, what issues are you seeing ?

Regards,

Mohamad

na93 · ‎10-31-2017

Thanks Mohamad appreciated.

Seeing a lot of weird and wonderful errors to be honest.. We are still trying to sort out ADFS issues before we look at SSO..

Currently if a user logs in via https://adfs.example.com/adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://company.service-now.com it works fine, however if they use a link from an email (deeplinking) or 'external login' option on the SN homepage it takes you to our ADFS page but when you try and login it gives you 'Could not validate SAML response' and then redirects you to the logged out successfully page.

We are also seeing "MSIS7075: SAML authentication request for the WebSSO profile must not specify any SubjectConfirmations." in the adfs server event logs.