Forum Discussion
The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!
This new KMSI experience is completely rolled out now for a few weeks. We added some logic to hide the prompt if we detect that the login session is risky, if it's a shared machine or if SSO is set up. Can you please try logging in on an in-private/incognito browser and see if the prompt shows?
Hi Kelvin,
We have SSO set up and based on your statement, Microsoft has added logic not to show the prompt.
Is there a way we can show this prompt with SSO enabled? To your previous question, we have not set up ADFS to pass PSSO Claim for SharePoint.
Appreciate your help.
- Ivan54Apr 11, 2018Bronze Contributor
Sorry I'm a little late to the party, but I just didn't have time back when the thread started and I kind of forgot about it. But now that I've read through all the 3 pages I'm chiming in with my issues:
Our SSO with Chrome and IE worked fine somewhere last year. Probably due to these changes it stopped working flawlessly, but not completely.
My setup consisted of configured Trusted Zones, ADFS on 2012R2 (I remember doing something to get this working for Chrome on ADFS 2 years ago), MFA exemption for onPrem IP Range, AAD-Connect and some URL tricks, like using the WHR parameter (https://login.microsoftonline.com/?whr=mycustomdomain.com)
Then it stopped working flawlessly, and degraded to having to click the pre-populated UPN and getting automatically signed in again after every browser closure.
I believe to have improved the experience, by dropping the WHR parameter, after which the users only had to click the pre-populated UPN about once a day.
This is also my current status, as far as I remember. I've noticed that when I leave my computer running over night (no standby) and return in the morning, I'm signed out of office.com or other pages. There is a sign in button on that office.com sign out portal and when I click it, I'm automatically signed in again after a few redirects without further input. A negative side effect of all this is, that on the first browser open any additional Sharepoint sites are not opened automatically, since the first site hasn't fully authenticated yet.
SSO seems wo work with no issues on my home computer (Mac/Safari) where I get all the KMSI and MFA prompts and I stay signed for multiple weeks.
By reading through everything here I'll start digging in into the ADFS configuration (and this article https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings), but I'll appreciate any shortcuts you guys have to offer :) - Kelvin XiaApr 11, 2018MicrosoftFrom your description, it doesn't sound like PSSO is set up correctly, or it could be due to an interaction with some external site settings (as you pointed out).
I'm not familiar with how SharePoint handles internal vs external sites. I would recommend that you contact Office 365 or SharePoint support to help you with that. They would be the best resource to help you here. - Andy StephensApr 05, 2018Copper Contributor
Hi Kelvin,
Following on from my former posts it seems now that the biggest issue now is the number of times internal users are prompted for authentication whilst accessing a site within our tenant that is shared externally.
On sites that are not shared externally the experience is that you can access a site authenticate and then close and reopen the browser several times without being authenticated again. (no KMSI option it just works)
But for sites that are shared externally every time the browser is closed the user needs to choose the "account pick" screen when re-accessing the site.
So two questions:
1. Are the settings handled differently for externally shared sites rather than sites with only internal user access?
2. Is there another option other than enabling PSSO (if this even works) as we have security concerns about issuing a PSSO token..
Thanks
Andy
- Kelvin XiaApr 04, 2018MicrosoftTo be accurate: Sending the PSSO claim will suppress the KMSI prompt (since it's not needed as PSSO essentially says "Yes" to that question), and drops a persistent Azure AD token in your browser. SPO will use that persistent token.
- Bryan WellsApr 03, 2018Copper ContributorTo make sure I understand, sending the PSSO claim should suppress the "Keep Me Logged In" question from SharePoint Online and drop the persistent SPO cookies in my browser automatically, correct? MS Support seems stymied for the moment on this one.
- Kelvin XiaApr 02, 2018MicrosoftAzure AD does respect the PSSO claim even when it comes from a source besides ADFS. So, it should work in your case. I would recommend that you contact Microsoft support to take a look at what's going on.
- Bryan WellsMar 29, 2018Copper Contributor
I'm having a slightly different issue. We don't use ADFS for our IdP, (we use PingFederate instead), and I've configured it to pass "true" for both the psso and insidecorporatenetwork claims when a user authenticates through our SSO. While I can see the SamlAttributes appear in the conversation with Azure, it doesn't seem to affect anything: I still get prompted for "keep me signed in" if I clear my cookies first, and no persistent cookies are ever dropped on my computer. Does Microsoft have any guidance for those of us not using ADFS but still wanting those persistent cookies placed? We also have users that claim the KMSI prompt never appears, so having the SSO system do it for them is ideal.
- Daniel BillingtonMar 02, 2018Brass Contributor
Setting up this option seems to have resolved our issues. To be confirmed over the next week, but initial testing on premise, with Seamless SSO enabled, on W10 in Chrome, Firefox, IE and Edge looks positive.
If anyone needs the instructions to enable "Allow users to remember multi-factor authentication on devices they trust" they are here: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#remember-multi-factor-authentication-for-trusted-devices.
- Kelvin XiaMar 02, 2018MicrosoftHi Marco,
sorry for the delay. I had to sync with the Seamless SSO team to understand what's going on.
The correct way to ensure the user isn't always prompted with MFA when Seamless SSO is set up is for the user to check the "Don't ask me again for <x> days" checkbox on the MFA screen. This suppresses MFA for the duration called out. Note that <x> can be configured on MFA. - Marc DeboldFeb 26, 2018Copper Contributor
Kelvin Xia wrote:
Hi Marc,
Is the screen where your user has to click on a username the "Pick an account" screen?
I believe that what you're seeing is caused by a different change in our code. Can you please send me a Fiddler trace of a user running through the scenario you mentioned and seeing the "Pick an account" prompt? Please DM me the trace so we can look into it.
Thanks,
KelvinHi Kelvin,
yes, it is the "Pick an account" screen, that is displayed. I'll send the trace asap.
Marc
- Marco HinnigerFeb 26, 2018Brass Contributor
Hi Daniel Billington - we have exactly this issue since we enabled Azure MFA. Did you find any solution yet?
Kelvin Xia this is really a big annoyance for anyone using Seamless SSO and MFA. The KMSI dialogue does not show up if Seamless SSO ist enabled, which results in repeated MFA requests every time the browser is restarted. Once we disable Seamless SSO on the client side (Browser Intranet Zone), users see the KMSI and are able to stay signed in... no unnecessary MFA requests anymore. We still want to use both: Seamless SSO and MFA, but at the current state this is not possible. Whats the best practice if we want to combine both methods?
EDIT: we are not using AD FS, instead we are relying on Azure AD Connect.
- Kelvin XiaFeb 24, 2018MicrosoftHi Marc,
Is the screen where your user has to click on a username the "Pick an account" screen?
I believe that what you're seeing is caused by a different change in our code. Can you please send me a Fiddler trace of a user running through the scenario you mentioned and seeing the "Pick an account" prompt? Please DM me the trace so we can look into it.
Thanks,
Kelvin - Marc DeboldFeb 18, 2018Copper Contributor
Kelvin Xia wrote:
May I know why you want to see the prompt even when SSO happens? By definition, when SSO'ed your user should just always automatically sign in without any interactive prompts. So, asking the user if they want to remain signed in doesn't really mean anything when SSO happens.That's almost right, but: For SSO to work, you need to provide the username / email address / UPN (which may be saved, but has to be confirmed by clicking it) before SSO kicks in. This is the issue in our case.
Imagine the following (real-world) scenario: Customer is using a SharePoint Online document library to store attachments for his Navision users. So when clicking on a link in Navision to open such an attachment (mostly PDF documents), you would expect your PDF viewer to open. In the current situation, your browser opens asking for your login (which perhaps was saved before), you confirm it, SSO happens and the PDF opens. After doing whatever with the document, the user closes the PDF and the browser window. After that, he clicks the next link in Navision and the same happens ... browser, confirm username, SSO, PDF. Only by leaving open the browser (as a workaround), the annoying clicking and waiting can be bypassed.
This behavior most likely applies to any SharePoint related content storage ...
By using the persistent session token, a true SSO experience (as seen in the old version) could be setup again.
- Daniel BillingtonFeb 17, 2018Brass Contributor
Kelvin Xia wrote:
May I know why you want to see the prompt even when SSO happens? By definition, when SSO'ed your user should just always automatically sign in without any interactive prompts. So, asking the user if they want to remain signed in doesn't really mean anything when SSO happens.There is one case where it would be really useful to have KMSI available when using SSO and that is when Azure MFA is enabled, to allow to remain signed in without getting prompted for the MFA code each time the browser is launched. When outside the LAN the KMSI appears (since then SSO is not active), so no reason not to show KMSI when on the LAN.
Is there any thought to allow this? Thanks
- VasilMichevJan 05, 2018MVP
I don't think so, it will most likely not recognize the claim.
- Srikanth KomirishettyJan 05, 2018Brass Contributor
Hi VasilMichev, Thank you for the response. The old sign in page has "keep me signed in" check box that helps the user not be prompted to pick account or see login prompt the next time they re-launch the browser and access SharePoint site. The new UI has no such option any more.
The new ADFS version on Windows 2012 seems to have an option to create custom claim rules to issue PSSO claims that avoids "pick an account" prompt as shared by Kelvin Xia.
As you recommended, I researched and I was able to create a SMART link which does the same job as "keep me signed in" check box. The user has to browse this link once, interestingly it won't even prompt for UPN (password not required as we are SSO) and process sets the persistent cookie on the machine and he/she never needs to pick account going forward.
The question I have now is, Our organization would like to enable PSSO but we are on ADFS 2.0 and Windows 2008 R2. The article on this link describes how to configure ADFS to issue PSSO claims but not sure if this applies to Windows 2008 R2.
- Kelvin XiaJan 03, 2018MicrosoftHi Johannes, can you please private message me your email address and I'll reach out to you to get more information.
- Johannes BlohbergerJan 03, 2018Copper Contributor
Hi,
at one of my customers I have exactly the same problem like Srikanth Komirishetty. Every time the browser is closed and reopend the Account Picking window is showing.
- Kelvin XiaDec 20, 2017MicrosoftHi Srikanth, I'll reach out to you via DM to get more information so we can look into this.
- VasilMichevDec 19, 2017MVP
Srikanth Komirishetty do you happen to be using Smart links? Even with the old experience, without smart links configured you have to enter/select the UPN before federation happens. But you can construct "smart links" (basically an URL with added parameter for the domain) to bypass this process and have you log in automatically. Perhaps those are not working with the new experience?
- Srikanth KomirishettyDec 18, 2017Brass Contributor
Kelvin,
The reason I ask is, we get this window every single time when we close the browser. I need not enter my password but I have to click on my account (I have to pick every single time I close the browser). If I switch to old sign in experience, I can check the box to keep me signed in and it will never ask me to pick the account. As the old sign in page is going away, we need to provide our users a way to avoid picking account each and every time the re-open the browser. The only, I saw is with the prompt and that is why, I'm reaching you to see if we can enable that prompt on SSO.
- Kelvin XiaDec 18, 2017MicrosoftMay I know why you want to see the prompt even when SSO happens? By definition, when SSO'ed your user should just always automatically sign in without any interactive prompts. So, asking the user if they want to remain signed in doesn't really mean anything when SSO happens.