Friday, March 06, 2015

ADFS : Legacy IE, legacy OS and ADFS 3.0

This is the ADFS that runs on Server 2012 R2.

Been busy with a project that has some legacy components.

Firstly - XP.

No longer supported and full of security holes. In particular, it does not support SNI (Server Name Indication).

To get ADFS 3.0 to work, refer:

How to support non-SNI capable Clients with Web Application Proxy and AD FS 2012 R2

ADFS 3.0 login failing from IE8

IE8 is the last incantation of IE on XP.

If you use a later OS e.g. Windows 7 and you play in the identity space with federation and lots of redirects, you may find IE 8 reporting "Internet Explorer cannot display the webpage".

This is because IE 8 has a redirect limit of 10 which is fine for a normal web site but not fine for the SSO browser profile which is based on redirects i.e.

User --> Application --> IDP1 --> IDP2 --> IDP 3 etc and then the rollback all the way down.

If the application is SharePoint, that alone has 3 to 4 redirects.

There is a "fix" but it involves regedit which is per machine and not something suitable for the average user,

Far better to upgrade IE or use another browser.


No comments: