Is my Office 365 ADFS SSO working properly?

Question

We have Office 365 hosted by an MSP. Included in this service is an ADFS server for SSO.

The SSO have never really worked properly, so i'm going to contact them and about it. But before I do so, I just wanted to make sure that it isn't working as intended.

When i go to portal.office.com and type in my username+upn and click in the password field I get redirected to another login screen (see image below, its in Swedish, but you should get the jist).

After I authenticate on that screen I get into the portal.

If I logout and then in again I get don't get that login screen, which is perfect. But if i close IE, open it again and go to portal.office.com again the login prompt comes up.

Isn't the point of ADFS for it to automatically log me in using my AD credentials? In my world that login-screen should never come up. In skype for business all i have to do is type my username+upn and i get logged in for instance.

So my question is: Is what i explained above correct behaviour for a properly set up ADFS SSO, or is there something amiss in the configuration?

score 1 · Accepted Answer · edited Apr 13 '17 at 12:14

1

There is nothing in your explanation to suggest the ADFS is poorly configured.
And you're probably on the wrong forum, as you're an end user without access to the configuration itself... Regardless I'll try and give you an answer.

While you could use windows integrated authentication it might just be turned off on purpose.
Or a myriad of other reasons might be causing it..

Isn't the point of ADFS for it to automatically log me in using my AD credentials?

No it isn't.
The point of ADFS is to allow you to use those credentials.
Logging in automatically with browsers that support it is just a feature that can be added.

edited Apr 13 '17 at 12:14

Community

1

answered Sep 19 '16 at 10:59

Reaces

5,597
4
38
46

Sorry, should have been more clear; I am a sysadmin here, but didn't set up the 365 implementation myself. Found the culprit though so this is fixed :) – Jack Pettersson Sep 19 '16 at 11:07
@JackPettersson Np. Just glad your issue is solved. ADFS can be fickle to set up correctly. – Reaces Sep 19 '16 at 11:07

score 1 · Answer 2 · answered Sep 19 '16 at 11:19

1

Also, after you put the site as trusted in your local intranet. you can go to internet properties, scroll clear down to the bottom make sure there is a check mark "Enable Integrated Windows Authentication"

answered Sep 19 '16 at 11:19

Tom Burgoon

56
4

Was already there by default, but thanks for the tip! I also enabled the intranet site security setting: `websites in less privileged web content zone can navigate into this zone` so that users won't get prompted to allow SSO. – Jack Pettersson Sep 19 '16 at 12:06
Outstanding, im happy you got it going! – Tom Burgoon Sep 19 '16 at 13:05

score 0 · Answer 3 · answered Sep 19 '16 at 11:05

0

After doing some more research i found this TechNet article that got me onto the right track. I did not know that the ADFS Endpoint needed to be in the trusted local-intranet site list. After adding this the ADFS works flawlessly. Will make a GPO for this!

answered Sep 19 '16 at 11:05

Jack Pettersson

236
3
11

I actually linked to that very technet article a few minutes ago ;) Sorry I wasn't faster to spare you the search. – Reaces Sep 19 '16 at 11:07
Oh! Will mark your answer then, sorry! – Jack Pettersson Sep 19 '16 at 11:08
Don't worry, we're not in a race here :D – Reaces Sep 19 '16 at 11:09

Is my Office 365 ADFS SSO working properly?

3 Answers3