When using Active Directory user authentication can be passed through from the network to your Jostle platform (SSO application). This will allow users to only login once to their computer (network) and then access Jostle.
Please note:
This is only known to work for Windows machines.
This is only for EDGE, Chrome and Firefox browsers.
It's probably easiest to set this up with GPO to automatically push the policy to all PCs, rather than instructing each user to do it individually.
Windows setup
To configure this, as an admin on the Microsoft side:
1. Make sure Windows Authentication is set in the ADFS Management. This is done by going to ADFS Management and check the Windows Authentication option in the Authentication Policies.
2. Set the ADFS URL as a trusted site
Go to Control Panel > Open Internet Options > Click the Security tab > Click the Trusted Sites green checkbox > Click the Sites button > Enter your ADFS SSO URL (eg. yourdomain.com) and Jostle URL (https://login-prod.jostle.us).
Important: Jostle URL must be without the “login.html” (https://login-prod.jostle.us).
3. Set Windows to automatically send the username and password through to ADFS
Go to Control Panel > Internet Options > Security tab > Trusted Sites green checkbox > Click the Custom Level button > Scroll to the bottom and select "Automatic logon with current username and password".
4. Set your homepage using this template:
https://login-prod.jostle.us/saml/login/alias/newjostle.us?idp=http://<yourADFSdomain>/adfs/services/trust
(If you are not sure about the URL please contact Jostle support at support@jostle.me.)
At this point, you should be able to test on EDGE (version 77 or later).
For Mozilla and Chrome
For Mozilla and Chrome there are two more steps:
1. Disable the Extended Protection for Authentication. This is needed because Chrome and Firefox don’t support it:
a) Login to your primary ADFS server
b) Execute the following command to disable Extended Protection
Set-ADFSProperties –ExtendedProtectionTokenCheck None
2. Allow NTLM authentication for the user-agent.
a) Execute the following command to get the current list of supported user-agents for NTLM authentication
Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
b) Take all the values you received in the previous step and then add , “Mozilla/5.0″ onto the end as an allowed user-agent.
Set-ADFSProperties -WIASupportedUserAgents @("MSIE 6.0", "MSIE 7.0",
"MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows
Rights Management Client", "Mozilla/5.0 (Windows")
Now, you will see your automatic sign in working for Chrome.
If you test it on Firefox you will see a pop up similar to the image bellow:
To solve that, you need to configure Firefox to use Windows Integrated Authentication following these steps:
a) Open Firefox.
b) In the address bar type about:config
c) You will receive a security warning. To continue, click on "I’ll be careful, I promise".
You will see a list of preferences listed. Find the settings below and update the value to the following:
network.negotiate-auth.delegation-uris = yourdomain.com
network.automatic-ntlm-auth.trusted-uris = yourdomain.com
network.automatic-ntlm-auth.allow-proxies = True
network.negotiate-auth.allow-proxies = True
1 Comments