Forum Discussion

Gurdev Singh's avatar
Gurdev Singh
Iron Contributor
Jun 22, 2018

ADFS SSO sign-in as different user

We have federation configured with Azure AD using ADFS with SSO enabled. This is working as expected. However, one slight issue for the admin team who are required to sign-in using different privileged credentials, different from their regular user account.

 

Problem is ADFS SSO is automatically signing-in the user as the account logged-into Windows. E.g. 'User runs a PowerShell command --> Authentication prompt comes-up --> user enters their privileged ID (different from their regular account) --> User enter their password --> user sign-in as their regular account rather than the privileged account they used at the sign-in screen".

 

Is there a workaround for this issue other than using a non-domain joined laptop?

  • You should be able to start PowerShell as a different user (shift+right-click or use the runas cmd). For other programs, you can disable WIA/autologin by removing the AD FS URL from the local zone.

    • gperkins's avatar
      gperkins
      Copper Contributor

      Vasil,

      You state "you can disable WIA/autologin by removing the AD FS URL from the local zone" I assume you mean using settings in the IE11 browser, and the local Intranet zone?  These are set by group policy and blocked. So going back to Gurdev's question, that implies a non-domain workgroup computer which has no group policy. Is there no other method?

       

      For example, our situation, we have many ADFS federated partner websites besides Office365. We want the locally loggedin non-privileged user to continue to have single signon to all those sites, including Office365. But also have the ability, as in Gurdev's question, to occasionally specify alternative credentials. One of the ADFS partner's allows, this, namely ServiceNow. They offer an alternate URL called side_door. That URL allows the user to specify a different user and password. Does Office 365 have a "side door" alternative URL?