How does the ADFS know that you are logged in?

Question

So we're working to implement SSO. We are using an Active Directory Federation Server to 'tell' our website that a user is logged in via his Windows machine.

So the flow is like this

1. http://ourwebsite.com --> redirects to: 2. http://adfsURL.local --> will know that I am logged in to my Windows machine and passes me the token for: 3. http://ourwebsite.com --> I'm logged in now

What I fail to understand is how step 2 knows that I am logged in. It is just a URL that I go to, so a webserver catches this and then what? Does it check the IP address of the request and then check if there's a user logged in from that IP? Or do I misunderstand something else completely?

Answer 1

It uses Integrated Windows Authentication - see here and here. (Kerberos).

"Unlike Basic authentication, Integrated Windows authentication does not initially prompt for a user name and password. The current Windows user information on the client is used for Integrated Windows authentication. If the authentication exchange initially fails to authorize the user, Internet Explorer prompts the user for a Windows account user name and password, which it processes using Integrated Windows authentication. Internet Explorer prompts the user for the correct user name and password up to three times.

If, however, the user has logged on to the local computer as a domain user, then no authentication is required when the user accesses a network computer in that domain."

For this to work, the browser has to be configured correctly.

Refer : Windows Integrated AuthN.

Answer 2

So what I've found is that for URLs that are in the 'local zone' of your PC, browsers will actually support sending over login information to the server of that URL, if the server requests such information.

It's called NTLM, and browsers will use it to login to a server using your Windows 'credentials' (not your username/password but some token).