How to enable SSO for all browsers

blog

How to enable SSO for all browsers

By default, AD FS only supports SSO with Internet Explorer. However, you can easily enable support for Google Chrome, Firefox, and Edge.

Configuring single-sign-on

As we know, Office 365 single-sign-on (SSO) between the on-premises and cloud is (typically) implemented using Active Directory Federation Services (AD FS). AD FS is a built-in service of Windows Server operating system. Typically AD FS is configured so that the extranet login is handled by forms-based authentication and intranet by Windows Integrated Authentication (WIA). This means that when a user is logging in from a domain joined computer in intranet, the browser logs in automatically (that’s why it is called single-sign-on). However, if user is logginh in from intranet using a browser which is not supported in AD FS, user will get the login prompt:

alt text

By default, AD FS is configured to perform WIA only with Internet Explorer. Luckily this can be easily changed to support also Firefox, Chrome, and Edge (Edge is supported by default in AD FS 4.0, i.e. Windows Server 2016). Below is the script to configure WIA in AD FS 3.0 (i.e. Windows Server 2012 R2) and AD FS 4.0.

Server side configuration

Note: The script needs to be run on all AD FS servers of AD FS farm.

# Save the list of currently supported browser user-agents to a variable
$browsers=Get-AdfsProperties | Select -ExpandProperty WIASupportedUseragents

# Add Mozilla/5.0 user-agent to the list
$browsers+="Mozilla/5.0"

# Apply the new list
Set-AdfsProperties -WIASupportedUseragents $browsers

# Restart the AD FS service
Restart-Service adfssrv

Note: If you have problems with the Firefox SSO, you might need to turn off AD FS Extended Protection using the following script.

# Turn off Extended Protection
Set-ADFSProperties ExtendedProtectionTokenCheck None

# Restart the AD FS service
Restart-Service adfssrv

Client side configuration

If you are using Chrome or Edge, you don’t need to do any client side configuration as it is using same settings than IE. In Firefox, you need to do some client side configuration if you got the following authentication prompt:

alt text

For Firefox, you need to browse to about:config and add the address of your AD FS server (e.g. sts.contoso.com) to network.negotiate-auth.trusted-uris.

alt text

And that’s it, you are ready to go. Enjoy!

Dr Nestori Syynimaa (@DrAzureAD) avatar
About Dr Nestori Syynimaa (@DrAzureAD)
Dr Syynimaa works as Principal Identity Security Researcher at Microsoft Security Research.
Before his security researcher career, Dr Syynimaa worked as a CIO, consultant, trainer, and university lecturer for over 20 years. He is a regular speaker in scientific and professional conferences related to Microsoft 365 and Entra ID (Azure AD) security.

Before joining Microsoft, Dr Syynimaa was Microsoft MVP in security category and Microsoft Most Valuable Security Researcher (MVR).