Windows 10 Azure AD Joined SSO not working with Office 365
Reported by
wdrie...@gmail.com,
Mar 21 2016
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 Steps to reproduce the problem: 1. Join Windows 10 V1511 (build 10586.164) to Azure AD 2. Logon with o365 identity 3. Open EDGE or IE and open portal.office.com. You have SSO logon. 4. Try step 3 with Chrome. What is the expected behavior? Single-Sign-On with Office 365 without having to logon manually. What went wrong? Chrome does not understand EPA (Extended Protection for Authentication). Did this work before? No Chrome version: 49.0.2623.87 m Channel: stable OS Version: Windows 10 Flash Version: Shockwave Flash 21.0 r0 The same issue is described in this issue: https://bugs.chromium.org/p/chromium/issues/detail?id=270219 However Issue 270219 is talking about ADFS. Windows 10 Azure SSO is new feature and i believe different from ADFS(I am not sure). https://social.msdn.microsoft.com/Forums/en-US/7f2c9cb6-188d-478f-bfe3-247ab49ad32e/azure-join-sso-with-mozilla-and-chrome-office-365?forum=WindowsAzureAD "We have something new in win 10, it's called web account manager. Third party browser does not understand this. Microsoft browsers understand this and use the credentials from there and make SSO works fine." https://community.office365.com/en-us/f/613/t/422558 "You seem to be referring to the Azure AD join functionality. That is a bit different from what is generally referred to as SSO with O365, and all the steps you have tried/listed above don't apply to this scenario. Afaik, there is no way to make 3rd party browsers work with that functionality, at least not currently. Anyway, you should ask this question in the Azure AD forums here: social.msdn.microsoft.com/.../home" With kind regards, Wietse Driever
,
Mar 29 2016
Judging by the fact that similar bugs were encountered with Firefox, I suspect the answer is "Yes" (Firefox has supported channel bindings for longer, thus if it WAS purely issue 270219 , we would expect Firefox to work)
,
Mar 29 2016
Judging based on the limited technical details in https://github.com/Azure/azure-content/blob/master/articles/active-directory/active-directory-azureadjoin-passport.md tied to https://github.com/Azure/azure-content/blob/master/articles/active-directory/active-directory-azureadjoin-overview.md , it seems that Azure AD SSO is tied to a Passport implementation. See also https://azure.microsoft.com/en-us/documentation/articles/active-directory-appssoaccess-whatis/ and https://blogs.technet.microsoft.com/askpfeplat/2015/01/05/azure-active-directory-for-the-old-school-ad-admin/ which suggest that it's primarily a SAML/WS-Federation/OAuth scenario when integrating with a fully hosted Azure AD. But kicking back to enterprise for further triage and analysis.
,
Jul 8 2016
requesting Georges & Matt to look deeper with the Chrome Win team. tl;dr - We have managed to make EPA (Extended Protection for Authentication) work on Chrome OS and it was non-trivial. Asanka & Ryan are subject matter experts here. But Chrome on Win we are still struggling as the bug described. Would appreciate someone in Win team or Chrome Win Ent team taking a deeper look. Ryan has some good pointers in #3
,
Nov 10 2016
,
Aug 1
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by emaxx@chromium.org
, Mar 29 2016Components: Internals>Network>Auth
Owner: sleevi@google.com