Scenario: User is at a generic workstation and needs to access a 3rd party application that is federated using ADFS 2.0. when user accesses the website it tries to auto login using the generic user that is logged into the workstation. Generic users do not have access to this application.
So, we would like ADFS to try to prompt the user for their credentials. Is that possible? Can we have ADFS try to autologin, if it doesn't then prompt?
Thanks! GK
Can we have ADFS try to autologin, if it doesn't then prompt?
No, you don't have this type of fallback mechanism with ADFS. Moreover, "autologin" is actually working correctly here. The problem is your users are not authenticated using the account you want. I see 2 options:
You tell your users to do "Shift + Right-click + Run as a different user" on IE shortcut -> they open IE using their own credentials -> ADFS will authenticate them using their account, not the generic account.
When your 3rd party app redirects the user to ADFS, it must add an additional parameter in the query string: wauth=urn:oasis:names:tc:SAML:1.0:am:password. This will force ADFS to use forms-based authentication, no matter what is configured in the web.config.
The problem with this second solution is that it will impact all users. I don't know if the 3rd party app has a way to know whether the request is coming from a generic workstation; if yes, you may filter when you add the param.
