Configuring end-user browsers - PingFederate - 11.0

PingFederate Server
bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

You can configure browsers at your site to use the Kerberos Adapter to authenticate users.

The client-side configuration requires the base URL or an applicable virtual host name of your PingFederate environment. Base URL is defined on the System > Server > Protocol Settings > Federation Info tab. To see a list of defined virtual host names, if configured, go to System > Server > Virtual Host Names.

Important:

If the browser is not properly configured, the user might be prompted to authenticate manually with their network credentials otherwise authentication fails the single sign-on (SSO) to the service providers.

Configuring Microsoft Edge

Configure Kerberos authentication using Microsoft Edge.

You must edit a group policy object (GPO) to send any intranet sites request to Internet Explorer (IE) 11 instead of Edge. This allows you to put PingFederate into the Intranet Sites Zone (not the Trusted Sites Zone) in IE and enable Kerberos.

Note:

By default, Microsoft Edge doesn't accept intranet sites and doesn't allow PingFederate's Kerberos adapter to request a Kerberos ticket for the relevant user.

  • Go to Group Policy Management Editor > User Configuration > Administrative Templates > Windows Components > Microsoft Edge > Send All intranet sites to IE11.

Screen capture of the Administrative Templates Policy definitions settings for Microsoft Edge. The send all intranet sites to Internet Explorer 11 setting is selected.
  1. To use the administrative template for Microsoft Edge, download it from the Microsoft website.

    For more information, see Configure Microsoft Edge policy settings on Windows

  2. Go to Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List > Show Contents.
  3. In the Show Contents modaI, in the Value Name column, enter the <PingFederate URL>, and in the Value column, enter 1. Click Ok.

    Screen capture of the Show Contents modal with a PingFederate URL entered for the Value Name column and 1 entered for the Value column.
  4. Go to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone > Logon options.
  5. In the Logon Options modal, in the Logon options list, select Automatic logon with current user name and password. Click Ok.
  6. Go to User Configuration > Administrative Templates > Windows Components > Intranet Explorer > Internet Control Panel > Security Page > Intranet Zone > Logon options.
  7. In the Logon Options modal, in the Logon options list, select Automatic logon with current user name and password. Click Ok.

    Screen capture of the Logon options modal. The Automatic logon with current user name and password setting is selected in the Logon options list.
  8. Save your changes.

Configuring Mozilla Firefox

Configure Kerberos authentication using a Firefox browser.

  1. Start Firefox.
  2. Open a new tab, and then enter about:config in the address bar.
  3. Double-click the network.negotiate-auth.trusted-uris preference name to modify its value to include the base URL of your PingFederate environment. For example, www.example.com.
  4. Click OK and close the about:config tab.
  5. Optional: Exit Firefox.

Configuring Google Chrome

Google Chrome browsers support Kerberos authentication.

If you configure Microsoft Edge for Kerberos authentication, then you don't need to configure Google Chrome because Chrome uses the settings in Edge. For more information, see the Microsoft Edge tab on this topic.