Adding SSO to Edge browser on ADFS 3.0

Hi all,

By default ADFS 3.0 doesn’t accept SSO on Edge browsers (and others modern browsers). To do that you need to configure it thru Powershell.

To list which browsers your ADFS are accepting you need to execute the following syntaxis:

Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents

On the below image is showed the default config on ADFS 3.0. It has a few Microsoft platforms and browsers accepted.

https://technet.microsoft.com/windows-server-docs/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia

edge_01

If you want to enable other Microsoft browsers execute the below command:

Set-AdfsProperties -WIASupportedUserAgents @(“MSIE 6.0”, “MSIE 7.0; Windows NT”, “MSIE 8.0”, “MSIE 9.0”, “MSIE 10.0; Windows NT 6”, “Windows NT 6.3; Trident/7.0”, “Windows NT 6.3; Win64; x64; Trident/7.0”, “Windows NT 6.3; WOW64; Trident/7.0”, “Windows NT 6.2; Trident/7.0”, “Windows NT 6.2; Win64; x64; Trident/7.0”, “Windows NT 6.2; WOW64; Trident/7.0”, “Windows NT 6.1; Trident/7.0”, “Windows NT 6.1; Win64; x64; Trident/7.0”, “Windows NT 6.1; WOW64; Trident/7.0”, “MSIPC”, “Windows Rights Management Client”)

Execute now Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents command to see if the new config was applied successfully:

edge_02

 

Use the below instructions to add Edge browsers:

$Props=Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
$Props=$Props+ “Edge/14”
$Props=$Props+ “Edge/12”
$Props
Set-ADFSProperties -WIASupportedUserAgents $Props

https://blogs.msdn.microsoft.com/asiatech/2016/09/06/single-sign-on-feature-not-working-with-microsoft-edge-on-window-10/

Regards!

 

 

Diferences between basic and modern authentication with SSO on Outlook and O365

Hi,

On the project where I’m working (staged migration to O365) the costumer asked me about secure authentication for ActiveSync devices (iPhone/iPAD) and  computers (outlook 2010 SP2). I have implemented ADFS 3.0.

If you use Office 2010, the first time you configure Outlook it promt for credentials and it saves this on the Windows Credentials Manager. After, Outlook go to autenticate to Office 365 using Basic Authentication and is Office 365 who go after to ADFS.

O365BasicAuth

With Outlook 2013/2016 Outlook use Windows Authentication. It´s a real SSO because doesn’t save your user credentials on any place and it is who goes to ADFS and not O365. It is using Modern Authentication.

MAuth

Summarizing: Use Outlook 2013 or 2016 to have a real Single Sign On.

Note 1: Outlook 2013 by default uses Basic Auth, you need to activate Modern Auth.

Note 2: iOS built in email client uses Basic Auth. Install and use Outlook 2016 App.

References:

Modern Authentication:

https://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers/

https://blogs.office.com/2015/03/23/office-2013-modern-authentication-public-preview-announced/

https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/

https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517?ui=en-US&rs=en-US&ad=US

https://blogs.office.com/2015/06/10/new-access-and-security-controls-for-outlook-for-ios-and-android/

Basic Authentication:

https://blogs.technet.microsoft.com/askpfeplat/2014/08/24/adfs-deep-dive-primer/

https://www.microsoft.com/en-us/download/details.aspx?id=28971