Starling + CAM Recommended IE settings, What are they?!

So we are rolling out Starling MFA company wide very soon, were doing a pilot currently.

We already stood up CAM and integrated it with Starling, and we have our O365 tenant federated with CAM and Service-Now. 

So far with the pilot group, people are getting hit with MFA a dozen or more times a day, from Service-Now specifically. 

Every time it refreshes it prompts for MFA again. It skips the username and password because we have kerberos auth enabled from the CAM side.

Which brings me here to ask:

What are the recommended Internet Settings for this? Trusted Sites vs intranet, do we turn on cross domain scripting, what other settings can i set via GPO to give our users the best possible experience with Starling +CAM?

I couldn't find anything, anywhere else, so any help? 

I figured this would be something One Identity provides, or has available, so maybe i couldn't find it. But if it doesn't exist I would like to ask One Identity for a some assistance in this.

  • Hi Cody, 

    Since organizations tend to use CAM differently in various scenarios we don't really have a one size fits all recommended setting. 

    It sounds like the Service Now Session might be expiring prompting the new login. Without logs though it's hard to say for sure. If you open a case, however, we could review the logs and make sure. 

    Settings in IE shouldn't really have an impact on a site requiring re-authentication, which would be invisible normally with Kerberos. 

    There are a couple of options in the CAM configuration you could consider as well. Right now I assume that you have 2FA turned on for everyone. You could also set that to external users only. 

    The other option might be to set it up for specific applications instead of everything at the FEA level. Since Service Now is using Kerberos does it strictly need 2FA? 

    Leigh Grant