Bypass SSO to login automatically with ADFS authentication

Enabling Windows Authentication for Symphony from Active Directory Federation Services (ADFS) allows you the ability to pass Windows credentials to single sign-on (SSO) for the Symphony app within your intranet.


Allow users to login automatically to the Symphony app using AD/SSO authentication protocols by following these steps:


1. In Server Manager, click Tools and then select AD FS Management


2. In AD FS snap-in, click Authentication Policies (Figure 1):



Figure 1 Authentication Policies


3. In the Primary Authentication section, click Edit next to Global Settings (Figure 2): 



Figure 2 Edit Global Primary Authentication


Note: You can also right click Authentication Policies, and select Edit Global Primary Authentication or under the Actions pane, select Edit Global Primary Authentication


4. In the Edit Global Authentication Policy window, select the Primary tab


5. Configure the following settings (Figure 3):


  • Authentication methods to be used for primary authentication: Select the available authentication methods under the Extranet and Intranet:
    • Forms Authentication: Uses an authentication ticket that is created when a user logs into a site
    • Windows Authentication: Uses Windows credentials that hashes the username and password before being sent across the network
    • Certificate Authentication: An authentication with an x509 user certificate that enables clients and devices provisioned with user certificates to access AD FS resources from the Intranet or the Extranet
    • Enable Device Authentication: Via the checkbox
    • 3.png

Figure 3 Edit Global Authentication Policy


6. Add Chrome as an agent in WIASupportedUserAgents


7. Add a user agent string for Chrome in ADFS configuration:


Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome”)


8. Confirm that the user agent string for Chrome is now set in the AD FS properties (Figure 4):


Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents



Figure 4 Windows Azure Active Directory Module For Windows PowerShell


9. Add the domains to be white-listed from the Symphony client to bypass the SSO authentication. To enable this, set the authServerWhitelist and authNegotiateDelegateWhitelist to the necessary SSO URL under the customFlags configuration in the Symphony.config file (Figure 5):



Figure 5 Configuration


As an example, if your app is installed in C:\Program Files\Symphony, you will need to edit the Symphony.config file under the config sub-directory.


Additionally, you will need to set authServerWhitelist and authNegotiateDelegateWhitelist to the necessary SSO URL (highlighted in red), (where companyabc is the name of your pod).