Follow

Configuring Active Directory to automate the login with Jostle

 

When using Active Directory you can have user authentication pass through from the network to your SSO application (Jostle® intranet), this will allow the user to only login once to their computer (network) and then access Jostle.

Please note:

  • This is only known to work for Windows machines.

  • This is only for IE, Chrome and Firefox browsers.

  • It's probably easiest to set this up with GPO to automatically push the policy to all PCs, rather than instructing each user to do it individually.

 

Here's how to set this up:

1. Make sure “Windows Authentication” is set in the AD FS Management

Go to your AD FS Management and check the “Windows Authentication” option in the Authentication Policies.

2. Set your ADFS URL as a "trusted site"

  • Open the Control Panel

  • Open Internet Options

  • Click the Security tab

  • Click the Trusted Sites green checkbox

  • Click the Sites button

  • Enter your ADFS SSO URL (eg. yourdomain.com) and the Jostle URL (https://login-prod.jostle.us)

Important: The Jostle URL must be without the “login.html” (eg, platform.jostle.us/jostle-prod/) 

3. Set Windows to automatically send the username and password through to ADFS

  • Again go Control Panel > Internet Options > Security tab > Trusted Sites green checkbox.

  • Click the Custom Level button.

  • Scroll to the bottom and select "Automatic logon with current username and password". 

4. Set your homepage using this template:

https://login-prod.jostle.us/saml/login/alias/newjostle.us?idp=http://<yourADFS domain>/adfs/services/trust

If you are not sure about the URL please contact Jostle support.

   You should be able to test in IE now.  

 

For Mozilla and Chrome, there are 2 more steps:

1. Disable the Extended Protection for Authentication. (Because Chrome and Firefox don’t support it):

      a) Login to your primary ADFS server

      b) Execute the following command to disable Extended Protection

          TokenCheck

Set-ADFSProperties –ExtendedProtectionTokenCheck None

Set-ADFSProperties -ExtendedProtectionTokenCheck None

     

2. Allow NTLM authentication for the user-agent.

      a) Execute the following command to get the current list of supported user-agents for NTLM authentication

Get-ADFSProperties | Select  -ExpandProperty WIASupportedUserAgents

Get-ADFSProperties - Select ExpandProperty WIASupportedUserAgents

b. Take all the values you received in the previous step and then add , “Mozilla/5.0″ onto the end as an allowed user-agent.

Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0",

"MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows

Rights Management Client", "Mozilla/5.0 (Windows")

Get-ADFSProperties - Select ExpandProperty WIASupportedUserAgents


     Now, you will see your automatically sign in working for Chrome.


If you test it on Firefox you will see a pop up similar to the image bellow:


To solve that, you need to configure Firefox to use Windows Integrated Authentication following these steps:

a. Open Firefox.

b. In the address bar type about:config

c. You will receive a security warning. To continue, click on "I’ll be careful, I promise".

You will see a list of preferences listed. Find the settings below and update the value to the following:   

network.negotiate-auth.delegation-uris         = yourdomain.com
network.automatic-ntlm-auth.trusted-uris     = yourdomain.com
network.automatic-ntlm-auth.allow-proxies   = True
network.negotiate-auth.allow-proxies           = True

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

2 Comments

  • 0
    Avatar
    LeeAnn Kucej

    Are these instructions for ADFS 3.0 only? I don't have the first option for ADFS 2.0. I made the changes in IIS, but I still get the secondary popup screen to plug in our windows credentials after using my email to log into Jostle.

  • 0
    Avatar
    Yasmin El Debssi

    Hi LeeAnn, I have created a support ticket for our team to review your question. Please expect a separate message from our team. Thank you! Yasmin

Please sign in to leave a comment.