When your client machines are domain-joined and you want your SSO to be seamless, you need to use Integrated Windows Authentication (IWA). IWA will only work when your client machines can contact your internal Single Sign On Host Server either through VPN or when on the corporate network in the office.
IWA for Windows Clients
Note: Firefox requires your IWA service to be using https.
- Open Firefox and navigate to about:config
Edit the following settings:
Firefox with NoScript: If your users are utilizing the popular NoScript add-in use these instructions to configure NoScript for IWA
- Click the NoScript icon
- Click Options > Whitelist
- In the "Address of website" box
- Type <yourdomain.local> (domain of IWA server) then click Allow
- Type "getsilo.com" (without the quotes) then click Allow
- Click Advanced > ABE > SYSTEM
- Copy this configuration into your Ruleset then click OK
See http://www.specopssoft.com/configuring-chrome-and-firefox-for-windows-integrated-authentication/ for all the details. The simplest way to test this is with a batch script.
cd\Program Files (x86)\Google\Chrome\Application
Microsoft Internet Explorer
- Internet Options
- Local intranet
Custom Level > Scroll to bottom of list > Ensure User Authentication Logon is set for "Automatic Logon only in Intranet Zone" > OK
It appears that Edge does IWA automatically from our limited testing with ADFS as the SSO IdP.