ADFS (Active Directory Federation Services) supports a range of modern web browsers for various authentication flows, with specific considerations for Windows Integrated Authentication (WIA). While Internet Explorer traditionally offers out-of-the-box WIA support, other popular browsers such as Edge, Chrome, and Firefox can also be configured to leverage WIA with ADFS.
Supported Browsers and Windows Integrated Authentication (WIA)
Windows Integrated Authentication (WIA) allows users to seamlessly authenticate without entering credentials when accessing ADFS-protected resources from a domain-joined device within the corporate network. The level of default support for WIA varies across browsers and ADFS versions, as detailed below:
| Browser | WIA Support (ADFS 3.0 / Windows Server 2012 R2) | WIA Support (ADFS 4.0+ / Windows Server 2016+) | Notes |
|---|---|---|---|
| Internet Explorer | Default | Default | Provides default WIA support across all ADFS versions, allowing for a seamless sign-on experience within the intranet. |
| Microsoft Edge | Configurable | Default | While configurable for WIA in ADFS 3.0 environments, Edge is supported by default for WIA starting with ADFS 4.0 (Windows Server 2016 and later), enhancing the out-of-the-box experience for modern Windows clients. |
| Google Chrome | Configurable | Configurable | Requires specific ADFS configuration to enable WIA. This typically involves updating ADFS properties to include Chrome's user-agent string for WIA. |
| Mozilla Firefox | Configurable | Configurable | Similar to Chrome, Firefox needs ADFS configuration to support WIA, which involves adding its user-agent string to the ADFS WIA configuration. |
It's important to note that while the configuration steps allow these browsers to use WIA, standard forms-based authentication and other authentication methods are generally supported by any modern web browser without specific server-side browser configurations.
Enabling WIA for Non-Default Browsers
For browsers like Chrome and Firefox, and for Edge on older ADFS versions (ADFS 3.0), enabling WIA involves updating the ADFS properties to recognize their user-agent strings. This configuration ensures that ADFS prompts these browsers to perform Windows Integrated Authentication when appropriate.
- Configuration in ADFS 3.0 (Windows Server 2012 R2) and ADFS 4.0 (Windows Server 2016):
System administrators can use PowerShell commands on the ADFS server to adjust theWiaSupportedUserAgentsproperty. This property specifies the user-agent strings that ADFS should consider for WIA, thereby extending the seamless sign-on experience to additional browsers.
For detailed guidance on configuring ADFS browser support, particularly for WIA, refer to official Microsoft documentation:
