We're using Azure Active Directory with Federated Authentication. This is working without a problem - but we need the ability to have users sign in with credentials other than their logged in Windows credentials.
What happens right now is
- User navigates to our web app and the Azure ADAL for JavaScript attempts to log in
- The user is redirected to https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxx&redirect_uri=xxxx&client-request-id=xxxx&x-client-SKU=Js&x-client-Ver=1.0.2&nonce=xxxx
- The user is presented with a username and password box.
- Upon entering the username (even if it is someone else's username) (as soon as focus is lost from the username textbox), the page shows
It looks like this email is used with more than one account from Microsoft. Which one do you want to use? Work or school account Work or school account Assigned by your work or school
- Upon clicking "Work or school account", the user is presented with
Redirecting We're taking you to your organization's sign-in page.
- The page redirects to the url
- The user is automatically logged in using their active Windows credentials (even if they entered a different username on the previous page).
If I navigate to the URL https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1 using a Windows session with a non-domain (local) account, I get a standard Integrated Authentication prompt
So - it seems like our ADFS server is using Integrated Windows Authentication on an IIS Website.
My question is - how can I allow the user to log in as a different domain user for the web app. Is there a special ADFS login URL I can use? And if so, how do I tell the Azure app to use that URL. Or is there a way to disable Integrated Authentication in some other way, on demand?
Thank you.
UPDATE:
I see that if I point the ADFS URL to the basic auth endpoint
https://ds1.mydomain.com/adfs/ls/auth/basic/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
I am prompted for basic authentication (exactly what I want)...so how do I tell my Azure AD or Azure AD App what login URL to use? And how can I control it conditionally?