How to achieve seamless SSO without having the user to login again (SAML 2.0 & ADFS using OpenSSO)
We need to implement seamless SSO with ADFS SAML 2.0 using OpenSSO & we plan to go with IdP initiated GET binding. The user in client network will log in to ADFS with Windows credentials once every morning. Thereon, whenever he accesses our application hosted in SaaS environment (different network/domain than that of the client), he should not be prompted for login credentials.
The SSO Profiles supported by SAML 2.0 (including IdP initiated) require the user to enter credentials (on ADFS login page) whenever the request goes to ADFS for authentication.
Is it possible to prevent ADFS prompt from authentication? If so, How can this be achieved?
Configure the ADFS login page to authenticate using windows authentication. Then the user should be automatically redirected back to the destination page without actually having to do anything.
You need a browser that is capable of doing kerberos authentication. I have only done this for Internet Explorer, but I believe Firefox can do this as well.
For Internet Explorer, the site you want to authenticate against must be in the list of Intranet Sites - or else the browser will not do a seamless authentication. This site (ADFS IdP server) can be added in the GPO of your organization.
Additionally: You might want the IdP initiated POST binding due to restriction of amount of data possible to send in a GET request.