Close this search box.

ADFS SSO web browsers

When you implement ADFS 3.0 with Office365 to have single sign-on for your users, it becomes quite frustrating to have to re-enter your password credentials with Chrome, Firefox, Safari,… . For this to work with your new ADFS 3.0 infrastructure, you will need to change two variables in your configuration WIASupportedUserAgents and ExtendedProtectionTokenCheck. Indeed, some browsers, such as Firefox, Chrome, and Safari, do not support extended authentication protection – a protection that allows them to be used across the Windows platform to protect users from man-in-the-middle attacks. To prevent this type of attack from happening, the default setting of ADFS is $true. In order to allow other browsers to authenticate without asking you for your login and password, you need to remove this security. If you want to allow your users to authenticate without having a Windows prompt, follow the steps below

1. Disable extended protection on each of your ADFS servers

PS C:\Users\John> Set-ADFSProperties -ExtendedProtectionTokenCheck None

2. Then add the necessary agents. In yellow you will find the new agents for Firefox/Chrome and Safari.

PS C:\Users\John> Set-ADFSProperties -WIASupportedUserAgents @(“MSIE 6.0″, “MSIE 7.0″, “MSIE 8.0″, “MSIE 9.0″, “MSIE 10.0″, “Trident/7.0″, “MSIPC”, “Windows Rights Management Client”, “Mozilla/5.0″, “Safari/6.0″, “Safari/7.0″)

3. Finally, restart the ADFS service on all your servers:

PS C:\Users\John> Net Stop ADFSSRV
PS C:\Users\John> Net Start ADFSSRV

To test if this works, open a browser other than internet explorer and log into your Office 365 portal. You should not get any messages asking you to authenticate if you are logged in as an active user in Office365.

Want to migrate or connect your phone system to Teams?

Write to me and let's keep in touch!


Formulaire de contact

Discutons ensemble de vos projets


Contact form

Let's discuss your projects together