How to achieve cross app sso with ADFS not entra ID

Bayu Aji Setyawan 0

Based on this article https://learn.microsoft.com/en-us/entra/identity-platform/msal-android-single-sign-on

How to achieve Cross APP SSO with ADFS Account?

I have my environment running full on premise with ADFS 2019, Exchange server 2019 CU 14.

I've already tried the cross app SSO with entra id. But how to achieve it with on premise account with my environment account?

My Goal is to have cross app sso but with adfs account (auto logged in with outlook). I already achieve it with entra id but can't with adfs account.

Is it possible?

1 answer

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-04T08:51:53.28+00:00
Hi @Bayu Aji Setyawan ,

Welcome to the Microsoft Q&A platform!

Yes, it is possible to achieve cross-app Single Sign-On (SSO) with an ADFS account in your on-premises environment. Here is a high-level overview of the configuration steps:

ADFS Configuration:

Set up relying party trusts for your applications.

Configure claims rules to pass the necessary user information.

MSAL Configuration:

Use the authority parameter in MSAL to point to your ADFS instance.

Enable brokered authentication by setting the broker_redirect_uri.

Ensure the Microsoft Authenticator or Intune Company Portal app is installed on the user's device.

For detailed guidance, you can refer to the Microsoft documentation on enabling cross-app SSO using MSAL.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang
Please sign in to rate this answer.
Bayu Aji Setyawan 0 Reputation points

2024-12-04T09:57:34.9633333+00:00

Hi @Jake Zhang-MSFT

Thank you for your response.

For the ADFS Configuration, I already followed this article (https://learn.microsoft.com/en-us/exchange/clients/outlook-on-the-web/ad-fs-claims-based-auth?view=exchserver-2019) on my dev env, but skip step 5 because it says optional. Is this enough?

For the MSAL.

"Use the authority parameter in MSAL to point to your ADFS instance" I already followed this article (https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-v2-android) and works for entra id.

Where to put authority parameter exactly based on that android code sample?

Is the authority parameter that point to my adfs instance looks like adfs.mydomain.com? How to check my authority parameter in my adfs environment?

"Enable brokered authentication by setting the broker_redirect_uri". I followed this article (https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-v2-android).

Do you mean the broker_redirect_uri is redirect_uri from from above article? If not can you pointed out where is broker_redirect_uri from above article? { "client_id": "00001111-aaaa-bbbb-3333-cccc4444", "authorization_user_agent": "WEBVIEW", "redirect_uri": "msauth://com.azuresamples.msalandroidapp/00001111%cccc4444%3D", "broker_redirect_uri_registered": true, "account_mode": "SINGLE", "authorities": [
{ "type": "AAD", "audience": { "type": "AzureADandPersonalMicrosoftAccount", "tenant_id": "common" } }
] }

I just want to create an android app that have 1 button to login to my adfs and then the outlook app on the same android device is logged in. After logged in dan the button clicked, the app just will say "logged in". Is the redirect uri just msauth://<PACKAGE_NAME>/<SIGNATURE_HASH>? For example

PACKAGE_NAME = com.example.myapp

SIGNATURE_HASH => can generated from keytool -exportcert -alias <ALIAS> -keystore <PATH_TO_KEYSTORE> | openssl sha1 -binary | openssl base64

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-06T09:41:41.33+00:00

Let's go through each of your questions one by one:

If step 5 in the ADFS claims-based authentication setup is marked as optional and your current setup works without that step, then skipping that step should be fine. However, if you run into any issues, you may want to revisit that step for completeness.

Authorization Parameters The authorization parameters in MSAL should point to your ADFS instance. The format is usually something like https://adfs.mydomain.com/adfs. You can find your ADFS authorization URL under the Endpoints section of the ADFS management console.

In the MSAL configuration JSON, you can place the authorization parameters in the authorization array. Here is an example:

{ "client_id":"00001111-aaaa-bbbb-3333-cccc4444" "authorization_user_agent":"WEBVIEW" "redirect_uri":"msauth://com.example.myapp/00001111%cccc4444%3D" "broker_redirect_uri_registered":true, "account_mode":"SINGLE" "authorities":[ { "type":"ADFS" "authority_url":"https://adfs.mydomain.com/adfs" } ] }

broker_redirect_uri is indeed the redirect_uri you registered for your app. It should follow the format of msauth://<PACKAGE_NAME>/<SIGNATURE_HASH>. Brokers (such as Microsoft Authenticator) use this URI to redirect back to your app after authentication.

You can generate SIGNATURE_HASH as follows:

keytool -exportcert -alias <ALIAS> -keystore <PATH_TO_KEYSTORE> | openssl sha1 -binary | openssl base64

Replace <ALIAS> and <PATH_TO_KEYSTORE> with your actual alias and keystore path.

Bayu Aji Setyawan 0 Reputation points

2024-12-07T11:28:37.6666667+00:00

Hi @Jake Zhang-MSFT ,

I got this error from android. I use the single account activity from this sample https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-v2-android/https://github.com/Azure-Samples/ms-identity-android-java

Already tried to remove to remove/disable from callGraphAPI function too but still the same error persist.

This is the error
"com.microsoft.identity.client.exception.MsalClientException: com.microsoft.identity.common.java.authorities.ActiveDirectoryFederationServicesAuthority cannot be cast to com.microsoft.identity.common.java.authorities.AzureActiveDirectoryAuthority"

How to fix this? Is there anything do i need to change from the code? Because I already tried with entraID and it's success but not when using ADFS

Btw are you sure ADFS is supported for this scenario? Because from https://learn.microsoft.com/en-us/entra/identity-platform/msal-configuration#map-microsoft-entra-authority--audience-to-microsoft-identity-platform-endpoints there's no ADFS option in authorities

And from https://learn.microsoft.com/en-us/answers/questions/693583/msal-android-adfs-config-json someone say "Unfortunately there's no direct-to-ADFS support for MSAL Android"

Notes: I change the real values of my environment with "sensitiveinformation"

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-10T08:55:33.71+00:00

Hi @Bayu Aji Setyawan ,

Thanks for your response.

Based on your description, it seems that there is indeed a limitation in using MSAL for Android directly with ADFS. The error you encountered, com.microsoft.identity.client.exception.MsalClientException: com.microsoft.identity.common.java.authorities.ActiveDirectoryFederationServicesAuthority cannot be cast to com.microsoft.identity.common.java.authorities.AzureActiveDirectoryAuthority, indicates that MSAL for Android does not support ADFS as an authority.

Key Points:

According to Microsoft Q&A, MSAL for Android does not directly support ADFS.

The MSAL configuration document also does not list ADFS as a supported authority.

Workaround:

To implement SSO with ADFS, you can use Azure AD as an intermediary. You can set it up as follows:

Configure Azure AD to federate with ADFS:

Set up Azure AD to federate with your on-premises ADFS. This way, Azure AD will handle the initial authentication and then redirect to ADFS for the actual sign-in.

Follow the steps in this guide to configure federation with ADFS.

In your MSAL configuration, use Azure AD as the authority. This will allow your Android app to authenticate with Azure AD, which will then redirect to ADFS for authentication.

Here is an example of a MSAL configuration:

{ "client_id": "00001111-aaaa-bbbb-3333-cccc4444", "authorization_user_agent": "WEBVIEW", "redirect_uri": "msauth://com.example.myapp/6/aB1cD2eF3gH4iJ5kL6-mN7oP8qR=", "broker_redirect_uri_registered": true, "account_mode": "SINGLE", "authorities": [ { "type": "AAD", "authority_url": "https://login.microsoftonline.com/common" } ] }

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang

Bayu Aji Setyawan 0 Reputation points

2024-12-11T09:32:04.3366667+00:00

Hi @Jake Zhang-MSFT ,

Thanks for you reply. Thank you so it's confirmed that ADFS is not supported by MSAL ADFS android.

From this sentence "Configure Azure AD to federate with ADFS". How to do that in my adfs environment?

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-12T02:15:10.95+00:00

Hi @Bayu Aji Setyawan ,

Thanks for your response!

To configure Azure AD to federate with your on-premises ADFS, you can follow these steps:

Prepare Your ADFS Environment

Ensure your ADFS environment is properly set up and running. You should have:

ADFS servers configured.

Web Application Proxy (WAP) servers if users need to access ADFS from outside your network.

Install and Configure Azure AD Connect

Azure AD Connect is a tool that helps you integrate your on-premises directories with Azure AD. Here’s how to set it up:

Download and Install Azure AD Connect:

Download Azure AD Connect from the Microsoft website.

Run the installer and follow the prompts.

Configure Federation with ADFS:

During the setup, choose the Federation with ADFS option.

Provide the necessary credentials and information about your ADFS environment.

Configure Federation Settings

Launch Azure AD Connect and select Configure.

Choose the option to configure federation with ADFS.

Enter the details of your ADFS servers and the service account credentials.

Azure AD Connect will verify the configuration and complete the setup.

Verify Federation

Test User Sign-In:

Test the federation setup by signing in to an Azure AD-integrated application using an on-premises account.

Ensure that the sign-in process redirects to your ADFS for authentication.

Verify that the correct claims and tokens are being issued by ADFS and accepted by Azure AD.

For more detailed instructions, you can refer to the following resources:

Deploying Active Directory Federation Services (AD FS) in Azure.

Microsoft Entra Connect and Federation.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang

Bayu Aji Setyawan 0 Reputation points

2024-12-12T03:12:36.9766667+00:00

Hi @Jake Zhang-MSFT ,

Thank you for your response. I have several question about this.

So it use Entra Connect to integrate on prem and entra id (cloud). After that it will use entra id (cloud) authority in msal? Is the authority configuration is like this?
{ "type": "AAD", "audience": { "type": "AzureADandPersonalMicrosoftAccount", "tenant_id": "common" } }

When I use msal android (java/kotlin), entra connect, and adfs on premise 2019. Will it achieve cross app sso or just usual login not cross app sso? (For example no need to login again on outlook android because it auto login)

I use msal.net with maui (because you said msal android not support adfs) and already succeed login (get the access token) with below get the access token). But when I ran, the cross app sso don't work (outlook and microsoft authenticator not logged in to my adfs on premise account). I found that in this article https://learn.microsoft.com/en-us/entra/identity-platform/msal-android-single-sign-on it need a broker (microsoft authenticator, which i already install alongside with outlook for android). And I found in this article https://learn.microsoft.com/en-us/entra/identity-platform/msal-net-use-brokers-with-xamarin-apps#step-1-enable-broker-support-1 that I need to use WithBroker() function but i don't find where to put my authority (for example https://adfs.mydomain.com/adfs) So in msal.net is it supported for cross app sso or not?

Here are my previous code using

var publicClientApplicationBuilder = PublicClientApplicationBuilder .Create("MyClientIDFromADFS") .c("https://adfs.mydomain.com/adfs") .WithRedirectUri($"msauth://com.test.app/mybase_64_encoded_signature") .Build(); var authResult = await publicClientApplicationBuilder.AcquireTokenInteractive({"email"}) .WithParentActivityOrWindow(EntraConfig.ParentWindow) .ExecuteAsync().ConfigureAwait(false); Debug.WriteLine($"SUCCESS => {authResult.AccessToken}");

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-13T08:41:41.3933333+00:00

Hi @Bayu Aji Setyawan ,

Let me answer your questions one by one:

Yes, you will use Entra Connect to integrate your local ADFS with Azure AD (Entra ID). After integration, you will use Azure AD authorization in MSAL configuration. Your permission configuration is correct.

When you use MSAL for Android (Java/Kotlin) with Entra Connect and ADFS locally, you can achieve cross-app SSO. This means that once a user logs in through your app, they do not need to log in again in other apps (such as Outlook) as long as they use a proxy (Microsoft Authenticator).

For MSAL.NET, cross-app SSO is supported when using a proxy. The configuration method is as follows:

a. Use the WithBroker() method in the MSAL.NET configuration.

b. Since MSAL.NET does not support direct ADFS authorization, Azure AD should be used as the authorization.

I think the statement you used before is correct.

Please feel free to contact me for any updates. And if this helps, don't forget to mark it as an answer.

Best,

Jake Zhang

Bayu Aji Setyawan 0 Reputation points

2024-12-13T09:00:29.88+00:00

Hi @Jake Zhang-MSFT ,

Thank you for your reply.

I just wanna clarify 1 things about my third question. "Since MSAL.NET does not support direct ADFS authorization, Azure AD should be used as the authorization".

So whether I using MSAL kotlin/java for android or MSAL.NET/MAUI for android. The cross app SSO will only be achieved if we use entra id/entra connect/azure ad/azure ad connect/cloud/office 365 as authority? It'll not work solely with adfs on premise alone or using adfs as authority?

Btw fyi, I already tried with using MSAL.NET with a function called .WithAdfsAuthority()

https://learn.microsoft.com/en-us/dotnet/api/microsoft.identity.client.abstractapplicationbuilder-1.withadfsauthority?view=msal-dotnet-latest

And already successfully logged in and get the access token, but still the cross app sso not achieved and there isn't my adfs account on microsoft authenticator. It isn't like when I use WithBroker(), the entra id account is there (microsoft authenticator).

Btw I tried to using .WithBroker().WithAdfsAuthority("https://adfs.mydomain.com/adfs)

But there's error like this ...Broker response returned error: com.microsoft.identity.common.java.authorities.ActiveDirectoryFederationServicesAuthority cannot be cast to com.microsoft.identity.common.java.authorities.AzureActiveDirectoryAuthority...

(I posted it too in stackoverflow if you wanna see the details https://stackoverflow.com/questions/79274026/cant-use-broker-mode-with-adfs-authority)

I think it's the same error like when I use msal java/kotlin but using this json configuration

"authorities":[

{

"type":"ADFS"

"authority_url":"https://adfs.mydomain.com/adfs"

}

]

So yeah, doesn't it means that cross app sso with only adfs as an authority is not possible?

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-17T09:29:55.4333333+00:00

You are correct. Cross-app SSO using only ADFS as an authority is not supported by MSAL for Android or MSAL.NET.

To achieve cross-app SSO, you should use Azure AD Connect to set up federation between your on-premises ADFS and Azure AD.And configure your MSAL applications to use Azure AD as the authority.

Here’s how you can configure MSAL.NET to use Azure AD with broker support:

var publicClientApplicationBuilder = PublicClientApplicationBuilder .Create("YourClientID") .WithAuthority("https://login.microsoftonline.com/common") .WithRedirectUri($"msauth://com.test.app/mybase_64_encoded_signature") .WithBroker() .Build(); var authResult = await publicClientApplicationBuilder.AcquireTokenInteractive(new[] { "User.Read" }) .WithParentActivityOrWindow(EntraConfig.ParentWindow) .ExecuteAsync().ConfigureAwait(false); Debug.WriteLine($"SUCCESS => {authResult.AccessToken}");

Jake Zhang-MSFT 7,850 Reputation points Microsoft Vendor

2024-12-20T07:30:16.07+00:00

Hi @Bayu Aji Setyawan ,

Please kindly consider this comment as a warm follow up, I want to know if your problem has been solved. If you still have any other questions, please feel free to comment here and I'm glad to provide further support.If the above info is helpful to this question, you can click "Accept Answer". Have a nice day!

Best,

Jake Zhang
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to achieve cross app sso with ADFS not entra ID

1 answer

Prepare Your ADFS Environment

Install and Configure Azure AD Connect

Configure Federation Settings

Verify Federation

Your answer