Scenario with ADFS Authentication
Recently I came across this scenario where an application was using ADFS for authentication. The administrator had configured Windows Integrated Authentication as well as Forms Authentication as authentication policies. But when the user accessed the Android application, passive authentication through the Android webview browser fails because it redirects to the Windows Integrated Authentication URL instead of Forms Authentication. As the webview browser does not support WIA.
A solution to configure ADFS
Most organizations when using Active Directory Federation Services (ADFS), use windows integrated authentication for their intranet. This helps users in their networks to enter credentials only once. Most browser-based applications provide a seamless experience to users without asking them to enter credentials again.
However, in this scenario, a user was trying to access an android application that equally needs passive authentication with an android webview browser. But android webview browser does not support WIA that results in authentication failure.
In such a scenario, ADFS should fall back to FORMS authentication and redirect the user to the login form. ADFS for windows server provides a simple configuration trick for authentication to fall back to FORMS.
WIASupportedUserAgentStringproperty ofSet-ADFSPropertiescommandWindowsIntegratedFallbackEnabledproperty ofSet-AdfsGlobalAuthenticationPolicycommand
Set-AdfsGlobalAuthenticationPolicy -WindowsIntegratedFallbackEnabled $true
WIASupportedUserAgentString gives the user agents that support WIA. If the component of the user agent string does not match any of the components of the user agent strings that are configured in WIASupportedUserAgentString property, ADFS will fall back to providing forms-based authentication, provided WindowsIntegratedFallbackEnabled flag is set to true.
Get-AdfsProperties | Select -ExpandProperty WIASupportedUserAgents MSIE 6.0 MSIE 7.0; Windows NT MSIE 8.0 MSIE 9.0 MSIE 10.0; Windows NT 6 MSIE 11.0; Windows NT 10 Windows NT 6.3; Trident/7.0 Windows NT 6.3; Win64; x64; Trident/7.0 Windows NT 6.3; WOW64; Trident/7.0 Windows NT 6.2; Trident/7.0 Windows NT 6.2; Win64; x64; Trident/7.0 Windows NT 6.2; WOW64; Trident/7.0 Windows NT 6.1; Trident/7.0 Windows NT 6.1; Win64; x64; Trident/7.0 Windows NT 6.1; WOW64; Trident/7.0 Windows NT 10.0; Trident/7.0 Windows NT 10.0; Win64; x64; Trident/7.0 Windows NT 10.0; WOW64; Trident/7.0 MSIPC
In this particular case, we removed Safari and Chrome from the list of user-agent strings, that’s when the authentication for application worked through passive authentication.
Conclusion
In conclusion, I showed in this post how to use FORMS authentication with ADFS for an android application. If you enjoyed this post, subscribe to my blog.
References