Supporting FORMS authentication for ADFS in Android applications

Scenario with ADFS Authentication

Recently I came across this scenario where an application was using ADFS for authentication. The administrator had configured Windows Integrated Authentication as well as Forms Authentication as authentication policies. But when the user accessed the Android application, passive authentication through the Android webview browser fails because it redirects to the Windows Integrated Authentication URL instead of Forms Authentication. As the webview browser does not support WIA.

Android Phone

A solution to configure ADFS

Most organizations when using Active  Directory Federation Services (ADFS), use windows integrated authentication for their intranet. This helps users in their networks to enter credentials only once. Most browser-based applications provide a seamless experience to users without asking them to enter credentials again.

However, in this scenario, a user was trying to access an android application that equally needs passive authentication with an android webview browser. But android webview browser does not support WIA that results in authentication failure.

In such a scenario, ADFS should fall back to FORMS authentication and redirect the user to the login form. ADFS for windows server provides a simple configuration trick for authentication to fall back to FORMS.

  1. WIASupportedUserAgentString property of Set-ADFSProperties command
  2. WindowsIntegratedFallbackEnabled property of Set-AdfsGlobalAuthenticationPolicy command

Set-AdfsGlobalAuthenticationPolicy -WindowsIntegratedFallbackEnabled $true

WIASupportedUserAgentString gives the user agents that support WIA. If the component of the user agent string does not match any of the components of the user agent strings that are configured in WIASupportedUserAgentString property, ADFS will fall back to providing forms-based authentication, provided WindowsIntegratedFallbackEnabled flag is set to true.

Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents

MSIE 6.0

MSIE 7.0; Windows NT

MSIE 8.0

MSIE 9.0

MSIE 10.0; Windows NT 6

MSIE 11.0; Windows NT 10

Windows NT 6.3; Trident/7.0

Windows NT 6.3; Win64; x64; Trident/7.0

Windows NT 6.3; WOW64; Trident/7.0

Windows NT 6.2; Trident/7.0

Windows NT 6.2; Win64; x64; Trident/7.0

Windows NT 6.2; WOW64; Trident/7.0

Windows NT 6.1; Trident/7.0

Windows NT 6.1; Win64; x64; Trident/7.0

Windows NT 6.1; WOW64; Trident/7.0

Windows NT 10.0; Trident/7.0

Windows NT 10.0; Win64; x64; Trident/7.0

Windows NT 10.0; WOW64; Trident/7.0

MSIPC

In this particular case, we removed Safari and Chrome from the list of user-agent strings, that’s when the authentication for application worked through passive authentication.

Conclusion

In conclusion, I showed in this post how to use FORMS authentication with ADFS for an android application. If you enjoyed this post, subscribe to my blog.

References

  1. Configuring Forms based authentication
  2. Forms based authentication