3

I am new to ADFS/SSO world and currently working on feature to implement Single Sign On (SSO) using AD FS for our Java based web application and Windows native agent.

Below are our requirement :

  1. Users should be logged in automatically(Without asking for username/password) to our windows agent if they have logged into their system using their domain credentials.
  2. The solution should work even if they are outside the corporate network

I have been reading on Internet but things are still confusing. I have following questions :

  1. Will kerberos based authentication suits my requirement?
  2. Can It be integrated with AD FS? So that the solution will work even if the user is not in corporate network?
  3. Or are there any other solutions? Our Product is Java based and uses Spring framework.

Thanks in Advance, Praveen

Praveen
  • 57
  • 1
  • 6

3 Answers3

3

Users should be logged in automatically

This will work if the browser is correctly configured for IWA

The solution should work even if they are outside the corporate network

No - Kerberos won't work so you have to use FBA

Can It be integrated with AD FS? So that the solution will work even if the user is not in corporate network?

Yes - you need to install ADFS WAP as well. Use split DNS. Internal users direct to ADFS == IWA. External users direct to WAP = FBA.

Our Product is Java based and uses Spring framework

Use Spring SAML

For desktop, you have a problem. SAML relies on browser redirects so you need an embedded browser or something. You could use OpenID Connect / OAuth (REST API) but you have tagged the question with ADFS 2.0 which has no such support.

In the Windows world (WPF, console via C# etc.), desktop connects to ADFS via WCF.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Thanks for your answer. But can I use it for windows desktop application as well? – Praveen Aug 17 '16 at 02:11
  • Okay. Can I use ADFS 3 + OAuth and achieve both web and client SSO?are there any popular java/spring plug-in for the same? – Praveen Aug 17 '16 at 05:18
  • No - ADFS 3.0 only supports OAuth for webapi and has no OpenID Connect support, You need ADFS 4.0 (Server 2016) - out in September. – rbrayb Aug 17 '16 at 18:48
2

Actually, in ADFS 2016, with Windows 10 domain joined devices, they can also be Azure AD registered. With device write back of this, there is a SSO artifact from ADFS that is integrated into Windows 10 desktop login. In this world, you will also get desktop SSO from the extranet.

SamuelD MSFT
  • 781
  • 4
  • 5
  • can the sso happen without AAD, I have a similar situation the client is a .net application (runs on win7/8/10 domain joined machine on intranet) and server is java (tomcat) extranet. Can I use WIF on client and Spring saml to make this work? – amritanshu Sep 08 '17 at 07:05
1

For your Java app, you should use spring-webmvc-pac4j for Spring MVC or j2e-pac4j with only J2E filters (or at worst: spring-security-pac4j with Spring Security) + pac4j-saml for ADFS + pac4j-oauth if want to use the OAuth protocol + pac4j-oidc if you want to use the OpenID Connect protocol.

Using pac4j will be much easier and consistent to support multiple protocols.

jleleu
  • 2,309
  • 1
  • 13
  • 9