Automatic logon using Windows AD credential without having to re-enter username and password at IdP
Prashanth Patali
patali at gmail.com
Sat Jun 27 12:36:39 UTC 2020
Hi Peter,
just updating to close this thread.
1) In the customer's domain - the issue got resolved without any change in
SP configuration. It seems like, in some cases when the user is in VPN, the
local desktop does not consider the IDP site as in the 'Local Intranet'
list. As a result, the browser does not negotiate "windows authentication"
token with the IDP resulting in the user seeing the username and password
screen. We observed this behaviour not just for my application but also the
other application which the customer had claimed to logon seamlessly. After
disconnecting and reconnecting the VPN, my application also logged on
seamlessly.
2) The other issue I described above ":2.0:status:Responder" - this was
happening only in my own internal test IDP and not with the customer's IDP.
The SSL certificate on my IDP is expired and I am not in a position to
renew at the moment. I enabled 'DEBUG' log and could observe the following
line.
2020-06-27 15:54:17 DEBUG OpenSAML.MessageDecoder.SAML2 [1] [default]:
no request/response correlation cookie found
Since the cookie is missing in POST back, SP did not create a session but
instead sent the "login" redirection message - this is found in the log.
2020-06-27 15:54:17 DEBUG Shibboleth.Listener [1] [default]: dispatching
message (default/Login::run::SAML2SI)
My conclusion (assumption is) -
Since IDP is using an expired certificate, the IE browser is not setting
Shibboleth cookie when POST-ing back Saml Response to SP. Hence SP
initiates a new session.
Adding SP to the Trusted Site list somehow seems to convey to the browser
to set this cookie and hence resulting in a seamless session and login.
Chrome and other browsers seem to totally reject auto logon due to the
expired certificate at IDP.
It was a long troubleshooting exercise. But your responses helped a lot to
dig this deeper.
Thank you very much. I appreciate it.
Prashanth
On Wed, Jun 24, 2020 at 11:07 PM Prashanth Patali <patali at gmail.com> wrote:
> Thank you, Peter. You have given me a lot of pointers and I will explore
> these options when I have a session with my customer tomorrow. Will get
> back with my findings. Thanks, again.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200627/3b473b0c/attachment.htm>
More information about the users
mailing list