How to enable SSO for all browsers

How to enable SSO for all browsers

By default, AD FS only supports SSO with Internet Explorer. However, you can easily enable support for Google Chrome, Firefox, and Edge.

Configuring single-sign-on

As we know, Office 365 single-sign-on (SSO) between the on-premises and cloud is (typically) implemented using Active Directory Federation Services (AD FS). AD FS is a built-in service of Windows Server operating system. Typically AD FS is configured so that the extranet login is handled by forms-based authentication and intranet by Windows Integrated Authentication (WIA). This means that when a user is logging in from a domain joined computer in intranet, the browser logs in automatically (that’s why it is called single-sign-on). However, if user is logginh in from intranet using a browser which is not supported in AD FS, user will get the login prompt:

alt text

By default, AD FS is configured to perform WIA only with Internet Explorer. Luckily this can be easily changed to support also Firefox, Chrome, and Edge (Edge is supported by default in AD FS 4.0, i.e. Windows Server 2016). Below is the script to configure WIA in AD FS 3.0 (i.e. Windows Server 2012 R2) and AD FS 4.0.

Server side configuration

Note: The script needs to be run on all AD FS servers of AD FS farm.

# Save the list of currently supported browser user-agents to a variable
$browsers=Get-AdfsProperties | Select -ExpandProperty WIASupportedUseragents

# Add Mozilla/5.0 user-agent to the list
$browsers+="Mozilla/5.0"

# Apply the new list
Set-AdfsProperties -WIASupportedUseragents $browsers

# Restart the AD FS service
Restart-Service adfssrv

Note: If you have problems with the Firefox SSO, you might need to turn off AD FS Extended Protection using the following script.

# Turn off Extended Protection
Set-ADFSProperties ExtendedProtectionTokenCheck None

# Restart the AD FS service
Restart-Service adfssrv

Client side configuration

If you are using Chrome or Edge, you don’t need to do any client side configuration as it is using same settings than IE. In Firefox, you need to do some client side configuration if you got the following authentication prompt:

alt text

For Firefox, you need to browse to about:config and add the address of your AD FS server (e.g. sts.contoso.com) to network.negotiate-auth.trusted-uris.

alt text

And that’s it, you are ready to go. Enjoy!

Dr Nestori Syynimaa avatar
About Dr Nestori Syynimaa
Dr Syynimaa works as Senior Principal Information Security Researcher at Secureworks CTU (Counter Threat Unit).
Before moving to his current position, Dr Syynimaa worked as a CIO, consultant, trainer, and university lecturer for over 20 years. He is a regular speaker in scientific and professional conferences related to Microsoft 365 and Azure AD security.

Dr Syynimaa is Microsoft Certified Expert (Microsoft 365), Microsoft Certified Azure Solutions Architect Expert, Microsoft Certified Trainer, and Microsoft MVP (Enterprise Mobility, Identity and Access & Intune).
comments powered by Disqus