We have AD FS 3.0, working well. A new Relying Party Trust has been set up – again, it works well. However, there's a business (security) requirement for Same Sign-on rather than Single Sign-On, that is, we want the user to be required to enter their credentials each time for this Relying Party.
To do this, I've configured a Custom Primary Authentication Policy for this Relying Party, with the Users are required to provide credentials each time at sign in box ticked.
This doesn't seem to work – users are redirected from the third-party site to our Federation Server, but are then authenticated to the third-party site without being asked to enter their credentials.
Is there something obvious I've missed? What else should I check?
Best Answer
If you are on the corporate network and using a browser deemed by AD FS to be Windows integrated authentication (WIA) capable, you will end up doing a new logon using WIA. But there wont be any end user disruption. They will use kerberos if configured correctly to re-authenticate to AD FS.
If you instead were to use a browser that is not deemed WIA capable by AD FS such as Firefox/Chrome, you should see the user is prompted to enter credentials again on a forms based authentication page.
The browser's ability to do WIA is controlled using a string array called WIASupportedUserAgents. See https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-intranet-forms-based-authentication-for-devices-that-do-not-support-wia for details on how this list can be controlled.
So the apparent lack of end user interruption to enter credentials doesnt mean the "Users are required to provide credentials each time at sign in " isnt working.