6. Single Sign-On

6.1. Overview

The “ADFS-Pro Authentication” plugin can be set into Single Sign-On mode. In this scenario users doesn’t need to enter any credentials on the ADFS login page, the web browser will do that automatically. The web browser can do that only for a intranet users, which are users who already are signed in to domain controller, through the Windows login screen. The SSO flow is often used in a modern internet based and connected workplace.

6.2. Requirements

Following conditions must be meet for SSO:

  • The standard login flow where user needs to enter their credentials is working in 100%.
  • If there is a web-proxy, it needs to be configured on the client side to bypass request to ADFS login URL.
  • The ADFS URL (eg. http://MyDnnWebsite.com) should be added to the IE > Security >Intranet zones > Site list.

6.3. SSO Configuration

  1. Enable SSO under ‘ADFS-Pro Authentication’. Go to: Admin-> Extensions-> ADFS-Pro Authentication, and enable “enable SSO” attribute, see figure below.

    _images/sso_01.png

6.4. IWA & SPN

To enable “Integrated Windows Authentication” (IWA) on ADFS the “Service Principal Name” (SPN) needs to be created to associate ADFS with login account. Usually this procedure can be skipped because “IWA” is already enabled therefore “SPN” is already created. To set up “SPN” follow these steps:

  • Open command prompt under “Administrator” priviledges.

  • Run following commands:

    setspn -s HTTP/<dns_name> <account_name>
    setspn -s HTTP/<adfs_server_name> <account_name>
    
  • Run the following command to verify that the SPNs are properly created:

    setspn -L <server>$
    

where:

  • <dns_name> - is the fully qualified domain name of the ADFS server,
  • <adfs_server_name> - is the host name name of the ADFS machine,
  • <account_name> - is the local service account;

Note

The HTTP portion of the SPN is correct even though HTTPS is used to access the service.

For example, if the domain name is cloudapp.net, the ADFS machine host name is W-Server12R2, and the account name is barry, the following commands create the required SPNs:

setspn -s HTTP/W-Server12R2.cloudapp.net barry
setspn -s HTTP/W-Server12R2 barry

If you use multiple ADFS servers in a federation server farm, see Microsoft document Manually Configure a Service Account for a Federation Server Farm

Reference:

6.5. Skip SSO

If you want to skip auto SSO, for example to sign in as DNN “host” or “admin”, a special query string parameter needs to be added to the login page: ?sso=false.

The url address can look as follow: www.MyDnn.com\login.aspx?sso=false

This query string parameter will stop “auto redirect” process.