I ran into an issue with ADFS (Active Directory Federation Services) recently that had me scratching my head a bit. Let’s set the record straight from the outset here… I thoroughly dislike ADFS and I am not a pro when it comes to managing it. So I often have to do a lot of research and digging whenever I have to do any kind of administrative work with it.
ADFS and SAML have their own dialect of IT speak… and versatile as I am I have found administering and deploying ADFS to have a rather steep learning curve. So my apologies in advance is this article isn’t as accurate or precise as it should be.
In the scenario that occasioned this article, ADFS is being used to integrate with a third-party hosted web application and while successful authentication works fairly well, there has been some real headache around unsuccessful authentication attempts.
The organization had employees with Active Directory user accounts and IT wanted to allow those employees to login to the externally hosted web application using their AD accounts. This is a very typical use-case for ADFS. The application provided a basic login page with a button that said something along the lines of “Login as Employee.” The button was actually a link to a SAML ADFS page hosted on the organizations ADFS server which would respond with a popup login prompt asking for the employee’s AD credentials.
The system worked just fine when an employee was able to successfully authenticate.
If an employee entered the wrong password or their account was locked or any number of other things would occur to make their login attempt unsuccessful, the system would of course not allow them entrance and it would simply kick them back to the login page… however that is where things started to go a bit wrong. (more…)