The supported User Agent Strings for ADFS 3.0 by default do not support Single Sign-On from Third-Party browsers, i.e. Firefox and Chrome. To enable this functionality you can add additional supported User Agent Strings to the ADFS configuration.
NB – This functionality is also available in ADFS 2.0, although it was not officially supported by Microsoft.
Checking Current Config
To check the currently supported User Agent Strings you should run the following command:
Set-ADFSProperties | Select WIASupportedUserAgents
Adding Support for Chrome & Firefox
Current versions of Chrome and Firefox (at time of writing) can be enabled by adding Mozilla/5.0 to the Supported User Agent Strings. An example of the command used for adding the required User Agent String is as follow:
Set-ADFSProperties -WIASupportedUserAgents @(“MSAuthHost/1.0/In-Domain”, “MSIE 6.0”, “MSIE 7.0”, “MSIE 8.0”, “MSIE 9.0”, “MSIE 10.0”, “Trident/7.0”, “MSIPC”, “Windows Rights Management Client”, “Mozilla/5.0”)
You should add the current list of Supported User Agents to a custom variable and then append the Mozilla/5.0 agent string to ensure that no other functionality will be broken.
You should note that when a browser is added to the list of Supported user agents, if the client does not authenticate using Windows Integrated Authentication it will not fall back to Forms-Based authentication, but to Basic as per ADFS 2.0.
The most elegant solution for achieving this behaviour is to inject a custom user agent string into client browsers using Group Policy (therefore setting for all client machines inside the network that will integrate using WIA) and setting the WIASupportedAgents to just that custom string, so they will authenticate using WIA. Those without the User Agent String will fall back to Forms-Based as they are not using a WIA supported agent.
To learn more about ADFS on android read our other blog here
Or to learn more about Office 365 Single sign-on in Outlook read here