I decided to write this article as if anyone is an early adopter like us for Facebook Workplace and has SSO issues on ADFS as the documentation here at the time of writing is limited and makes some assumptions. I will try and save you some of the time with a few tips below
TLDR:- If like me the main issue for login loops is either the users are not set to SSO or you get the following error
SSO Not Authenticated
The SAML Response was invalid. Please check that all fields are correct and try again.
Well, this part is most likely down to the email address not matching or even better a trailing / at the end of the ADFS URL’s! (I wasted an hour or so on this)
The next piece of advise I will give you is if you are going to use Azure AD as an IDP provider for the user’s detail get the SSO working before setting this up. Otherwise, you need to delete the users or use the bulk edit tool to set everyone to SSO within the People menu. Press the Edit People button
Within this menu select download CSV, this will then generate an email to the admin user you are logged in as.
Once downloaded open the file and you will now see that you can change users on mass from password to SSO
The way you can tell that a user is SSO or not is by hitting the … at the end of a user, below is a pre-synced user before SSO
And this is an SSO user, as you can see the force SAML authentication part appears
But of course first you need to get SSO working and this is probably why you are here. Firstly the documentation you follow from Facebook may differ as this all depends on the version of ADFS you are using. I was using Server 2016 and not 2012 like their screenshots so just follow this the best you can. You will also notice at the time of writing when you follow the hyperlink for next steps in the PDF you get this page, don’t panic! I listed out what I did below.
I fumbled along and came up with the below from what I gathered from the data in the PDF guide
Now you will hit Test SSO and now get the same error as I did
I even got the following error in my ADFS logs whilst I was playing around with the transforms. If you get this then you may have a typo in them as the E-Mail Address field is case sensitive and slightly different and again typed wrong in the PDF versus the screenshot
The SAML authentication request had a NameID Policy that could not be satisfied.
Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: null.
I played around with this for a bit thinking I had done something wrong as when you copy the URLs from your ADFS config like below they have a / at the end of them, ignore this… it appears the URL generated by the SSO in Facebook already adds this. Remove this from your URLs above so they now look like this
If you press Test SSO again now if all things are in order you should now see the following
You will also notice the form will refuse to save until you get the above message. You may also need to add additional email domains to allow single sign-on depending on their primary email address.
Toggling Users:- If you need to toggle a specific user between password and SSO select the … at the end of the user and scroll to the bottom and change the login with