When using Active Directory you can have user authentication pass through from the network to your SSO application (Jostle® intranet), this will allow the user to only login once to their computer (network) and then access Jostle.
Please note:
-
This is only known to work for Windows machines.
-
This is only for IE, Chrome and Firefox browsers.
-
It's probably easiest to set this up with GPO to automatically push the policy to all PCs, rather than instructing each user to do it individually.
Here's how to set this up:
1. Make sure “Windows Authentication” is set in the AD FS Management
Go to your AD FS Management and check the “Windows Authentication” option in the Authentication Policies.
2. Set your ADFS URL as a "trusted site"
-
Open the Control Panel
-
Open Internet Options
-
Click the Security tab
-
Click the Trusted Sites green checkbox
-
Click the Sites button
-
Enter your ADFS SSO URL (eg. yourdomain.com) and the Jostle URL (https://login-prod.jostle.us)
Important: The Jostle URL must be without the “login.html” (eg, platform.jostle.us/jostle-prod/)
3. Set Windows to automatically send the username and password through to ADFS
-
Again go Control Panel > Internet Options > Security tab > Trusted Sites green checkbox.
-
Click the Custom Level button.
-
Scroll to the bottom and select "Automatic logon with current username and password".
4. Set your homepage using this template:
https://login-prod.jostle.us/saml/login/alias/newjostle.us?idp=http://<yourADFS domain>/adfs/services/trust
If you are not sure about the URL please contact Jostle support.
You should be able to test in IE now.
For Mozilla and Chrome, there are 2 more steps:
1. Disable the Extended Protection for Authentication. (Because Chrome and Firefox don’t support it):
a) Login to your primary ADFS server
b) Execute the following command to disable Extended Protection
TokenCheck
Set-ADFSProperties –ExtendedProtectionTokenCheck None
2. Allow NTLM authentication for the user-agent.
a) Execute the following command to get the current list of supported user-agents for NTLM authentication
Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
b. Take all the values you received in the previous step and then add , “Mozilla/5.0″ onto the end as an allowed user-agent.
Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0",
"MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows
Rights Management Client", "Mozilla/5.0 (Windows")
Now, you will see your automatically sign in working for Chrome.
If you test it on Firefox you will see a pop up similar to the image bellow:
To solve that, you need to configure Firefox to use Windows Integrated Authentication following these steps:
a. Open Firefox.
b. In the address bar type about:config
c. You will receive a security warning. To continue, click on "I’ll be careful, I promise".
You will see a list of preferences listed. Find the settings below and update the value to the following:
network.negotiate-auth.delegation-uris = yourdomain.com
network.automatic-ntlm-auth.trusted-uris = yourdomain.com
network.automatic-ntlm-auth.allow-proxies = True
network.negotiate-auth.allow-proxies = True
2 Comments