Automatic logon using Windows AD credential without having to re-enter username and password at IdP

[Prashanth Patali]

Hello all,

I have deployed Shibboleth SP v3.0.3, on Windows platform, protecting my
Web Application hosted on IIS. The IdP is an Active Directory(AD) with ADFS
with SAML 2.0 enabled. Relying party registration has been done properly
within the IdP.

Users of my application use Windows desktop and they login to their local
desktop using credentials belonging to the same AD domain that is
configured as IdP for my Web Application. When the user navigates to my
application URL, the browser properly redirects to IdP and is presented
with a username and password screen. Upon entering the correct credential,
the user is redirected back to my application and login successfully.

However, my customer/user is expecting this to work such that the user
should not be prompted for the credential at IdP once again and instead
automatic authentication should happen based on the account the user is
logged on to the local machine. Users' expectation is that Windows
credentials used for local desktop should be forwarded to SP and IdP and an
automatic login should happen to the application.

It is a reasonable ask from the customer. But I am unable to understand how
to configure Shibboleth SP to enable this authentication flow. Any help or
pointers, based on your experience, would be of great help.

Thank you for reading through this email.

Regards
Prashanth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200624/194f472a/attachment.htm>