SSO issue DAAS

[Rob Young1709151927]

I have an issue where we want users internally to be able to Seamless Single Signon and users externally to be prompted for their signin.  when I enable Federated Identity Provider Sessions, External users will be attempted to signin automatically with whatever ID they have external and then it fails, but this works fine for internal users.  If I disable Federated Identity Provider Sessions, it works correctly for external, but then all our internal users have to manually signin everytime?

 

I am currently using SAML for the authentication.  (Against AzureAD)

 

Thoughts?

[Jeff Riechers]

I would set it up with Conditional Based Access where you set your internal Natted IPs to not require MFA and allow for longer caching of credentials.

 

That way external users would be prompted for the additional login requirements.

[Rob Young1709151927]

My CAP's are configured to only require MFA on non-trusted IP's.  We have the same SAML setup for a few other SAAS apps and it works fine.

 

Here are the scenarios that I have tried: 

 

Azure authentication (Federated Identity Provider Sessions enabled or disabled)-

Internal: prompts for auth but recognizes who i am

External: Prompts for username/pass

 

SAML Auth (Federated Identity Provider Sessions disabled)

Internal: works great, signs me seamlessly

External: signs user in automatically by whatever their PC's configured for.  Third party, google, live. and fails.  User need incognito

 

SAML Auth (FederatedIdentity Provider Sessions enabled)

Internal: prompt for username/password

External:prompt for username/password

 

What we want:

Internal: Seamless Signle Signon

External: prompt username and password.

 

 

 

[Rob Young1709151927]

I got it working under Azure Active Directory (FIPS disabled) but the logon process is sooooo slow.  (not launching apps but to login to the DAAS.

 

Internal: Seamless SSO (working)

External: Prompt (working)

 

Will open a ticket for the performance.