ADFS SSO and Passthrough Authentication (SAML Multifactor Authentication)

darreneverett · ‎08-07-2017

G'Day fantastic people.

So I have done a few implementations with customers establishing SSO via the customers ADFS and the ServiceNow SAML connection.

And what happens is:

1. If customer is on internal customer network, browsing to instance takes them straight to the instance, because their network email is the same as in SN;

2. If customer is remote (ie Not on network), then they are presented with the ADFS Sign in Page, where they select what they want to connect to, being name of instance, followed by their network credentials. Hit Ok and they are into their instance.

This is all great.

However, this time, no matter what I try, the customer will ALWAYS ends up at the ADFS login page. They can select instance, pop in some credentials (network), and they are in. But for users on the internal network, I want this to bypass the ADFS screen and assuming their emails match, let them in.

I have used the URL that allows me to hard code the service I want to go to, that's fine.... albeit it still asked me to login at the ADFS page even if I'm already logged into the network.

[Here is the URL for reference ... https://samportal.example.com/adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://company.service-n... (of course, with values changed)]

The only thing I can see different is that the customer is using ADFS 3.0, and the others ADFS 2.0.

Any ideas out there? Thanks in advance.

mohamadcharafed · ‎08-09-2017

Hi Darren,

I assume its a new ADFS server. Did you check the Authentication Policy ? Image is attached :

If thats already set, you can force the Windows Auth by ticking the "Create an AuthnContextClass" property and setting "AuthnContextClassRef method" to "urn:federation:authentication:windows".

View solution in original post

mohamadcharafed · ‎10-31-2017

Hi Nabeel,

look at : windows server 2012 r2 - SAML authentication fails with error MSIS7075 - Server Fault

for your ADFS issue

Or you can try going to :

https://<YOUR ADFS>/federationmetadata/2007-06/federationmetadata.xml

and re import this into Service Now Identity Provider settings.

Regards,

Mohamad

na93 · ‎11-01-2017

Thanks! Managed to get ADFS working, turns out 'Transforming an Incoming Claim' was misconfigured.

Can I just finally ask for ADFS SSO which installation exit should be enabled, is it 'SAML2SingleSignon_update1'?

Thanks again

darreneverett · ‎11-07-2017

Hi Nabeel

I could not find a good answer regarding installation exits, their configuration, and system properties.

If you find out, please post here. Thanks.

Darren

mohamadcharafed · ‎11-07-2017

Hi Nabeel

This depends which SSO you are using. Do you have Multi Provider SSO plugin installed ?

To check please go to Activate Multi-Provider SSO plugin

I recommend using this plugin as it has all the latest updates.

You should see the installation exits below once you actually enable SSO under Multi-Provider SSO -> Administration -> Properties :

MultiSSO

MultiSSOLogin

MultiSSOLogout

Let me know if you see these.

Regards,

Mohamad