In our organization we recently faced some issues with some of our
On our ADFS configuration we enabled WIA (Windows Integrated Authentication). As it turns out older Chromebooks worked fine with this type of configuration. But the more recent SameSite cookie changes in Chrome 80 seem to have broken this functionality.
Microsoft hotfixes
Microsoft has provided some hotfixes to make ADFS compatible with the SameSite cookie change Google has announced. Microsoft provides the following hotfixes (depending on your WIndows version):
Though these hotfixes are required to make Chrome 80 work with ADFS, they do not seem to fix the problem we are facing with our Chromebooks. All our systems were up-to-date at the time of testing.
Fixing ADFS authentication on Chromebooks with Chrome 80
After a lot of digging and troubleshooting, we decided to disable WIA authentication for ChromeOS devices. This will force the user to login to a form based authentication. In order to disable WIA for ChromeOS devices only, and not for WIndows Chrome logins we issued the following command (using an elevated WIndows PowerShell console):
Set-AdfsProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain", "MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "MS_WorkFoldersClient", "=~Windows\sNT.Edge", "Edge/12", "=~Windows\sNT.Chrome")
This command disables WIA authentication for Chromebooks, but keeps it alive for Windows machines.