How can I achieve seamless SSO?

%3CLINGO-SUB%20id%3D%22lingo-sub-189753%22%20slang%3D%22en-US%22%3EHow%20can%20I%20achieve%20seamless%20SSO%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-189753%22%20slang%3D%22en-US%22%3E%3CP%3ESometime%20last%20year%20I%20achieved%20seamless%20SSO%20in%20our%20corporate%20environment%20with%20the%20following%20tools%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EWindows%2010%20Clients%3CUL%3E%3CLI%3EIE11%20(by%20adding%20some%20URLs%20to%20the%20intranet%2Ftrusted%20zones)%3C%2FLI%3E%3CLI%3EChrome%20(with%20some%20trickery%20on%20ADFS%20to%20get%20this%20working)%3C%2FLI%3E%3CLI%3Eand%20generally%20adding%20the%20whr%20parameter%20to%20bookmarks%20deployed%20via%20GPO%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EAzure%20AD%20Connect%3C%2FLI%3E%3CLI%3EADFS%20onPrem%20with%202012%20R2%20(domain%20is%20generally%20on%202012%20R2%20level)%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20with%20the%20latest%20changes%20over%20last%20couple%20of%20months%2C%20this%20setup%20stopped%20working.%20I%20need%20some%20guidance%20as%20I%20no%20longer%20know%20what%20the%20absolute%20best%20way%20to%20deploy%20seamless%20SSO%20is.%20These%20are%20the%20tools%20at%20my%20disposal%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EWindows%2010%20v1709%20onPrem%20domain%20joined%2FAAD%20hybrid%20joined%20devices%3C%2FLI%3E%3CLI%3E(I'd%20like%20it%20work%20with%20all%203%20browsers%20preferably)%26nbsp%3B%3CUL%3E%3CLI%3EChrome%3C%2FLI%3E%3CLI%3EEdge%3C%2FLI%3E%3CLI%3EIE11%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EProper%20setup%20UPN%20for%20all%20users%3C%2FLI%3E%3CLI%3EMFA%20active%20on%20all%20users%3CUL%3E%3CLI%3Eexcept%20for%20onPrem%20IP-Range%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EWindows%20Server%202012%20R2%20onPrem%3CUL%3E%3CLI%3Eif%202016%20is%20a%20requirement%20for%20this%2C%20I'll%20happily%20upgrade%20somehow%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EAzure%20AD%20Connect%3C%2FLI%3E%3CLI%3ESCCM%20(latest)%2C%20incl.%20Hybrid%20AAD%20Joined%20Devices%20-%20but%20Windows%2010%20is%20mostly%20managed%20by%20SCCM%20and%20not%20Intune.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20no%20requirement%20for%20authentication%20to%20happen%20onPrem%2C%20I%20just%20did%20it%20because%20it%20allowed%20for%20true%20SSO%20back%20then.%3C%2FP%3E%3CP%3EI%20basically%20NEVER%20want%20an%20authentication%20prompt%2C%20neither%20username%20or%20password%2C%20within%20my%20corporate%20environment.%20As%20in%2C%20a%20freshly%20deployed%20machine%20with%20a%20brand%20new%20user%20account%20automatically%20signs%20into%20%3CA%20href%3D%22http%3A%2F%2Fwww.office.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ewww.office.com%3C%2FA%3E%20on%20the%20very%20first%20try%2C%20no%20fuss%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20tell%20me%20this%20is%20still%20somehow%20possibly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-189753%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-191842%22%20slang%3D%22en-US%22%3ERe%3A%20How%20can%20I%20achieve%20seamless%20SSO%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-191842%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Ivan%2C%3C%2FP%3E%3CP%3EThere%20are%20two%20ways%20to%20have%20seamless%20SSO%20with%20Azure%20AD%3A-%26nbsp%3B%3C%2FP%3E%3CP%3E1)-%20Pass-though%20Seamless%20SSO.%3C%2FP%3E%3CP%3E2)-Password%20Sync%20Seamless%20SSO.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERecently%20watched%20a%20video%20that%20has%20explained%20everything%20briefly%20and%20this%20might%20help%20you%20as%20well.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DkRPExiS4EwI%26amp%3Bt%3D14s%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DkRPExiS4EwI%26amp%3Bt%3D14s%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Valued Contributor

Sometime last year I achieved seamless SSO in our corporate environment with the following tools:

 

  • Windows 10 Clients
    • IE11 (by adding some URLs to the intranet/trusted zones)
    • Chrome (with some trickery on ADFS to get this working)
    • and generally adding the whr parameter to bookmarks deployed via GPO
  • Azure AD Connect
  • ADFS onPrem with 2012 R2 (domain is generally on 2012 R2 level)

 

but with the latest changes over last couple of months, this setup stopped working. I need some guidance as I no longer know what the absolute best way to deploy seamless SSO is. These are the tools at my disposal:

 

  • Windows 10 v1709 onPrem domain joined/AAD hybrid joined devices
  • (I'd like it work with all 3 browsers preferably) 
    • Chrome
    • Edge
    • IE11
  • Proper setup UPN for all users
  • MFA active on all users
    • except for onPrem IP-Range
  • Windows Server 2012 R2 onPrem
    • if 2016 is a requirement for this, I'll happily upgrade somehow
  • Azure AD Connect
  • SCCM (latest), incl. Hybrid AAD Joined Devices - but Windows 10 is mostly managed by SCCM and not Intune.

 

I have no requirement for authentication to happen onPrem, I just did it because it allowed for true SSO back then.

I basically NEVER want an authentication prompt, neither username or password, within my corporate environment. As in, a freshly deployed machine with a brand new user account automatically signs into www.office.com on the very first try, no fuss ;)

 

Please tell me this is still somehow possibly.

1 Reply

Hello Ivan,

There are two ways to have seamless SSO with Azure AD:- 

1)- Pass-though Seamless SSO.

2)-Password Sync Seamless SSO.

 

Recently watched a video that has explained everything briefly and this might help you as well.

https://www.youtube.com/watch?v=kRPExiS4EwI&t=14s

 

 

This video is for the understanding of Pass through authentication with seamless SSO.Please click on the below mentioned link to check more details as per Mi...