Forum Discussion
Expected login experience with ADFS
With ADFS set up I expected that the user experience would be:
1. Open browser
2. Click link to Office 365 app (SharePoint, Planner, etc..)
3. App opens (user is authenticated)
Recently I was told that users will have to click on the login and then they will be redirected to the ADFS/SSO and logged in automatically. So there are 4 steps not 3.
Is that accurate?
14 Replies
What's displaying the links in step 2 ?
In general when you visit Office 365 it needs to ask you who you are in order to send you to your adfs service, if your adfs does an integrated login then it'll not prompt you but log you in. There are ways to avoid this step where you first need to tell Office 365 who you are :-
1. Go to mail at https://outlook.office.com/owa/?realm=yourtenantdomain
2. Access a SharePoint site with acceleration enabled as per https://support.office.com/en-gb/article/Enable-auto-acceleration-for-your-SharePoint-Online-tenancy-74985ebf-39e1-4c59-a74a-dcdfd678ef83?ui=en-US&rs=en-GB&ad=GB
3. Build idP smartlinks as per https://blogs.msdn.microsoft.com/jvasil/2014/05/08/o365-limiting-authentication-prompts/
We have SharePoint as our homepage, users very rarely get prompted.
Hi, we have been successfully using an IdP SmartLink to https://portal.office.com/ via our ADFS server for over 18 months UNTIL 4 days ago... when all of a sudden it stopped seamlessly logging users in to their portal page - instead prompting for their O365 identity.
I have a ticket logged; however, Microsoft's reponse is that they cannot control the smartlinks created by users - and to recreate them.
Can anybody offer any suggestions as to what may have changed in our environment? is there an expiry or cache time on smartlinks?
We also started experiencing SSO issues a few weeks ago. For the moment we don't have a clue of the cause. Users are prompted for credentials again, while in the past they were logged in automatically using SSO.
- This is great!!
What we're seeing is the need to click on your user name and/or enter email address before it redirects to the ADFS. This seems to align with your description.
Thank you!Just to add that you can get the persistent cookie by adding &LoginOptions=1 at the end of the smart link, if you decide to go that route.
