When you implement ADFS 3.0 with Office365 to have single sign-on for your users, it becomes quite frustrating to have to re-enter your password credentials with Chrome, Firefox, Safari,… . For this to work with your new ADFS 3.0 infrastructure, you will need to change two variables in your configuration WIASupportedUserAgents and ExtendedProtectionTokenCheck. Indeed, some browsers, such as Firefox, Chrome, and Safari, do not support extended authentication protection – a protection that allows them to be used across the Windows platform to protect users from man-in-the-middle attacks. To prevent this type of attack from happening, the default setting of ADFS is $true. In order to allow other browsers to authenticate without asking you for your login and password, you need to remove this security. If you want to allow your users to authenticate without having a Windows prompt, follow the steps below
1. Disable extended protection on each of your ADFS servers
2. Then add the necessary agents. In yellow you will find the new agents for Firefox/Chrome and Safari.
3. Finally, restart the ADFS service on all your servers:
To test if this works, open a browser other than internet explorer and log into your Office 365 portal. You should not get any messages asking you to authenticate if you are logged in as an active user in Office365.