none
Azure AD Single sign on auto sign in with windows credentials

    Question

  • I have my on-premise active directory connected with azure AD, and set it up the apps and users in azure. there are two users (tom@mysite.com, ken@mysite.com). now the ken login to the computer with an active directory account associated with ken@mysite.com, when ken visit my app, it will auto login without having to input password. the issue is when i tried to login with tom@mysite.com, azure AD automatically signed me in as ken@mysite.com without asking password. so there is no way for Tom to sign in my app in ken's computer. Is it supposed to work like this?
    Tuesday, April 4, 2017 3:44 PM

Answers

All replies

  • Hey there!  Sounds like your browser is caching some cookies and/or you have a shared browser context between the users (like the browser was installed for all users, rather than a specific user).  Can you test this same thing once tom signs out of his apps on the browser by clicking the "sign out" link on myapps.microsoft.com?  I think then, Ken will be able to log in to access his.

    You can also uninstall and reinstall the browser, but this time make sure it's done ONLY for Ken and Tom as separate users, and not for all users on the machine. This may also be another workaround here.

    If you use azure ad domain join with windows 10, you should be able to have this happen automatically.

    Thanks!

    Adam.


    Adam Steenwyk | Senior Program Manager | asteen@microsoft.com

    Tuesday, April 4, 2017 4:28 PM
  • Thanks for your response. I reinstalled firefox, it did ask me to sign in with user name(not email) and password (in a popup window). now I am able to sign in my app or portal.azure.com with different user Tom on Ken's computer. but once i signed in, it seems like it stored user login credentials to cookie, I couldn't find a way to sign the user out. I have tried to sign out from myapps.microsoft.com and portal.azure.com. It still automatically signs in as Tom, even i put ken's Email(ken@mysite.com, it has no problem if i use another account  with different domain like max@newsite.com) in (on the Azure AD sign in page, not popup window). Of course, Kayn and Tom has same domain and in same directory (tom@mysite.com, ken@mysite.com).

    So my question is how I can really sign out the user(Tom) from Ken's computer without having to remove cookie manually?


    • Edited by Kayn Z Tuesday, April 4, 2017 6:19 PM
    Tuesday, April 4, 2017 6:18 PM
  • Is this a Windows 10 installation where Windows is joined to Azure AD? If so it is expected behavior that it will automatically sign you in on AAD-Integrated web sites. (The idea is that a Win10 device joined to AAD is a personal Device. Shared devices aren't really catered for in the same way.)

    If you are creating a web site integrating with AAD for login it is Your responsibility to also add a logout mechanism (there is an endpoint for that).

    On the MSFT sites there should be a logout button allowing you to sign out, and sign in again with a different user. If this doesn't work something is wrong. Now, if you have multiple tabs open it might be that while you are signing out in one tab, a site refreshes in another tab and logs you in as the original user.

    The annoying scenario with the autologin is that it creates more friction if you have a consultant type setup where you have a number of identities for signing in, but all the sites insist on using the "default identity" - kind of annoying...

    Tuesday, April 4, 2017 6:53 PM
  • I am using windows 7.

    I have a logout in my website, I have also tried it.

    the portal.azure.com works the same way as my website.

    let's continue with the scenario in last comment. I can sign out the user from azure.portal.com, then I will be redirect to sign in page, here if I put in another user (ken@mysite.com, actually it can be anything@mysite.com), it will automatically login as tom@mysite.com who was signed out from portal.azure.com just now.

    I think the challenge is the following. when either Ken or Tom is trying to sign in to portal.azure.com, it detects the user has a domain same as windows credential(on premise active directory user but connect with azure AD ), then a popup window shows up, any user within the same domain(such as tom@mysite.com) is able to sign in successfully. since then the user cann't be sign out essentially unless you remove the cookie manually, and if I try to sign in anything@mysite.com (notice they have same domain), the azure AD will automatically sign me in as tom@mysite.com without asking for password. 

    any advice?


    • Edited by Kayn Z Tuesday, April 4, 2017 8:34 PM
    Tuesday, April 4, 2017 8:33 PM
  • close Firefox browser will remove the cookie and sign the user out, but IE and Chrome won't
    • Edited by Kayn Z Tuesday, April 4, 2017 9:03 PM
    Tuesday, April 4, 2017 9:02 PM
  • Have you considered using inPrivate mode?  Unfortunately, we cannot guarantee that the application itself does not cache the credentials used to login.  I think that is what is happening in this case. I believe if you use incognito, or inprivate, mode you should be able to get what you desire.

    Make sure you set an exception for the access panel extension to run in inprivate, though, otherwise SSO will not work as you want it to.

    Cheers,

    Adam.


    Adam Steenwyk | Senior Program Manager | asteen@microsoft.com

    Tuesday, April 4, 2017 9:35 PM
  • For a developer, I can overcome this, but for a customer, it is all default behavior for IE and Chrome, it is not ideal for Firefox either . I am not sure if you see how serious for this case, we are a big company and have moved some apps to use SSO with azure AD, but I feel it is hard to continue with this issue. In my opinion, for any app(now even for Azure itself), if you sign out, it should be allowed to sign in with another user no matter whether they are in the same directory with same domain or not. it is not only the behavior of our app but also the Azure, Office365..., I am sure somebody else also is experiencing the same issue.
    Wednesday, April 5, 2017 12:51 PM
  • I think it is the way how Microsoft implements SSO, I don't have too many choices. but please bring up my concern if possible. because that means anybody who use your machine can sign in Azure AD with your windows credential, and you basically have no easy way to prevent this by signing you out from Azure AD.
    • Edited by Kayn Z Wednesday, April 5, 2017 2:49 PM
    Wednesday, April 5, 2017 2:40 PM
  • Hi!

    First off - I really appreciate your continued follow up on this - it's a great discussion! Thank you :).

    Fortunately, I'm a member of the engineering team, and we're listening. It turns out, Single Sign Out for password vaulted applications is a very difficult problem to solve, because it needs to be custom coded for every single application. We do have an item for this that we are looking into, but no timelines to share right now, unfortunately. 

    We will certainly take your feedback into account in our next planning cycle, though, and see what we can do to solve this issue a bit better for the variety of password SSO applications out there.

    That said, we cannot promise anything at this point, and at this time, we'd really suggest that if you want the deep integration you're after, that you look at using native SAML federation for as many of these applications as possible.

    If you want to add SAML support for a specific application that you are currently using password single sign on for, please point the vendor of the application to this documentation and have them reach out to us. You, as the consumer of the application, can exert pressure on them to natively integrate.

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-app-gallery-listing 

    Alternatively, you can use the "bring your own" application experience to custom integrate any SAML-supporting application with Azure AD, so that you get true single-sign out.  This includes any applications that you have developed in-house, to support SAML. Of course, if you are developing applications, you can also use our OpenIDConnect protocols to do this natively.

    https://blogs.technet.microsoft.com/enterprisemobility/2015/06/17/bring-your-own-app-with-azure-ad-self-service-saml-configuration-now-in-preview/

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps 

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization

    Lastly, here are a few videos which cover some of these concepts briefly, in the new portal.

    Thanks,

    Adam.


    Adam Steenwyk | Senior Program Manager | asteen@microsoft.com

    Wednesday, April 5, 2017 3:00 PM
  • I am so glad to contribute my case, thanks for your suggestions and sharing the links. I will come back to this conversation if I encounter more challenges.
    Wednesday, April 5, 2017 3:41 PM