I have just enabled SAML for our cluster using ADFS 4. SSO works correctly with no password prompts when accessing admin pages via web browsers (chrome, Firefox and IE). With the jabber client I am prompted for an email (expected) and then immediately presented with a windows security login box (Not Expected). If I fill in my AD credentials, jabber will log in correctly. Looking at logs for this authentication it does seem that kerberos is indeed used. I have also disabled ExtendedProtectionTokenCheck in ADFS. IE security setting are set per: https://www.cisco.com/c/en/us/support/docs/unified-communications/jabber-windows/118773-configure-kerberos-00.html
I just can't seem to figure out why jabber is prompting for credentials instead of transparently authenticating - any ideas?