How to configure intranet users logon from windows dekstop for many web applications? (ADFS 3.0, SAML 2.0, SSO)

0
votes

The project im working now is Single-Sign-on (SSO) via ADFS 3.0 using SAML Token (SimpleSAMLphp).

I have the following setup:

  • Windows Server 2012 R2 with AD and ADFS 3.0 as Identityprovider
  • Ubuntu Webserver. A test-webapp (PHP) installed SimpleSAMLphp as Serviceprovider
  • Windows 10 Client

Current status:

  • User logs in to windows using his/her credentials.

  • User opens the browser and logs in to a web application. The web application is redirected to ADFS login page.

  • Login using the same credentials which used in windows authentication.

  • Back to a test-webapp page and the user should be authenticated.

Everything works fine, but how can I realize a real SSO? How to configure the intranet users who logon their windows dekstop and then they open the browser (IE, Firefox and Chrome), go to the website without typing the credentials again in a ADFS page. In other words, Windows Integrated Authentication (WIA).

Has anyone else did it with this setup before? It would be nice to share the experiences and solutions. Many thanks :)

2
phpsingle-sign-onsamladfssimplesamlphp

2 Answers

0
votes

You need to set up the browser to handle this.

Only IE does this by default.

Good set of rules here. Note - page down - more than one article.

0
votes

You need to know about the concept, this article good for you.. OAUTH2 Authentication with ADFS 3.0

And if you need how to read JWT token with PHP use this code:

function readToken($jwt_access_token){ 
	$separator = '.'; 
	if (2 !== substr_count($jwt_access_token, $separator)) {
		throw new Exception("Incorrect access token format");
	} 
	list($header, $payload, $signature) = explode($separator, $jwt_access_token); 
	$decoded_signature = base64_decode(str_replace(array('-', '_'), array('+', '/'), $signature)); 
	// The header and payload are signed together
	$payload_to_verify = utf8_decode($header . $separator . $payload);  
	// output the JWT Access Token payload
	return base64_decode($payload);
}