Follow

Configuring Active Directory to automate the login with Jostle

When using Active Directory user authentication can be passed through from the network to your Jostle platform (SSO application). This will allow users to only login once to their computer (network) and then access Jostle.

Please note:

  • This is only known to work for Windows machines.

  • This is only for EDGE, Chrome and Firefox browsers.

  • It's probably easiest to set this up with GPO to automatically push the policy to all PCs, rather than instructing each user to do it individually.

Windows setup

To configure this, as an admin on the Microsoft side:

1. Make sure Windows Authentication is set in the ADFS Management. This is done by going to ADFS Management and check the Windows Authentication option in the Authentication Policies.

2. Set the ADFS URL as a trusted site

Go to Control Panel > Open Internet Options > Click the Security tab > Click the Trusted Sites green  checkbox > Click the Sites button > Enter your ADFS SSO URL (eg. yourdomain.com) and Jostle URL (https://login-prod.jostle.us). 

Important: Jostle URL must be without the “login.html” (https://login-prod.jostle.us).

3. Set Windows to automatically send the username and password through to ADFS

Go to Control Panel > Internet Options > Security tab > Trusted Sites green checkbox > Click the Custom Level button > Scroll to the bottom and select "Automatic logon with current username and password". 

4. Set your homepage using this template:

https://login-prod.jostle.us/saml/login/alias/newjostle.us?idp=http://<yourADFSdomain>/adfs/services/trust

    (If you are not sure about the URL please contact Jostle support at support@jostle.me.)

At this point, you should be able to test on EDGE (version 77 or later).  

For Mozilla and Chrome

For Mozilla and Chrome there are two more steps:

1. Disable the Extended Protection for Authentication. This is needed because Chrome and Firefox don’t support it:

      a) Login to your primary ADFS server

      b) Execute the following command to disable Extended Protection

       Set-ADFSProperties –ExtendedProtectionTokenCheck None

Set-ADFSProperties -ExtendedProtectionTokenCheck None

     2. Allow NTLM authentication for the user-agent.

a) Execute the following command to get the current list of supported user-agents for NTLM authentication

Get-ADFSProperties | Select  -ExpandProperty WIASupportedUserAgents

Get-ADFSProperties - Select ExpandProperty WIASupportedUserAgents

b) Take all the values you received in the previous step and then add , “Mozilla/5.0″ onto the end as an allowed user-agent.

Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0",

"MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows

Rights Management Client", "Mozilla/5.0 (Windows")

Get-ADFSProperties - Select ExpandProperty WIASupportedUserAgents
Now, you will see your automatic sign in working for Chrome.

If you test it on Firefox you will see a pop up similar to the image bellow:

To solve that, you need to configure Firefox to use Windows Integrated Authentication following these steps:

a) Open Firefox.

b) In the address bar type about:config

c) You will receive a security warning. To continue, click on "I’ll be careful, I promise".

You will see a list of preferences listed. Find the settings below and update the value to the following:   

network.negotiate-auth.delegation-uris         = yourdomain.com
network.automatic-ntlm-auth.trusted-uris     = yourdomain.com
network.automatic-ntlm-auth.allow-proxies   = True
network.negotiate-auth.allow-proxies           = True

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

1 Comments

  • 0
    Avatar
    Yasmin El Debssi

    Hi LeeAnn, I have created a support ticket for our team to review your question. Please expect a separate message from our team. Thank you! Yasmin

Please sign in to leave a comment.