Forum Discussion

josh_bodner's avatar
josh_bodner
Former Employee
May 12, 2021

Dev channel update to 92.0.884.2 is live

Hello Insiders!  Today we’re releasing build 92.0.884.2 to the Dev channel.  Our biggest news isn’t with the Dev channel though; it’s that with the most recent Beta release, which brings it to versio...
rshupak's avatar
rshupak
Iron Contributor
May 12, 2021
This may not be new to this build but with Allow single sign-on for work or school sites using this profile enabled on edge://settings/profiles/multiProfileSettings, this site, https://techcommunity.microsoft.com/, will automatically sign in with my AAD account not my MSA account which is the account with which I am signed in to both Edge and Windows. There is no mechanism to select the account to use. With this option off, SSO doesn't occur and I am prompted to select the account, with my MSA filled in due I suspect to having the password saved in Edge. Clicking next does sign me in without further input.
  • josh_bodner's avatar
    josh_bodner
    Former Employee
    May 12, 2021

    rshupak oh and also, for the SSO issue, can you try clearing your cookies and seeing if that helps?  If you're signed into Edge with your MSA, you're right that it's what should be used for SSO instead of your AAD account, which makes me think that maybe your AAD credentials are just saved and being used, and so getting rid of them may help.  

    • rshupak's avatar
      rshupak
      Iron Contributor
      May 14, 2021

      josh_bodner 

       

      When AAD SSO is disabled, Edge sends the following, which I elided, on the first request to https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=09213cdc-9f30-4e82-aa6f-9b6e8d82dab3&redirect_uri=https%3A%2F%2Ftechcommunity.microsoft.com%2Fauth%2Foauth2callback&response_type=code&state=https%3A%2F%2Ftechcommunity.microsoft.com%2F&scope=User.Read+openid+email+profile+offline_access

       

      Cookie: ESTSAUTHLIGHT=+00000000-0000-0000-0000-000000000000; ESTSSC=00; esctx=...; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; brcap=0; ESTSAUTHPERSISTENT=...; ESTSAUTH=...; ch=...; buid=...; fpc=...; clrc={...]}

       

      When AAD SSO is enabled, the Cookie header is not sent but the following is

       

      x-ms-RefreshTokenCredential: ey...n0.ey...d4

       

      It seems that with one or the other, there is no way this can work well for sites that support both AAD AND MSA since they are not provided with both credentials in order to present the user with a choice. As implemented right now, I need to change the Edge setting off to allow signing in with the MSA at all since otherwise the AAD account is selected. Some sites, such as this one, don't even allow a choice after signing out. In contrast, Edge will select AAD with no user choice on https://portal.azure.com/ or https://www.office.com/ but after being signed in you can sign out and then are presented with a choice immediately (portal.azure.com) or for the next sign in (http://www.office.com/)

       

       

       

    • rshupak's avatar
      rshupak
      Iron Contributor
      May 14, 2021
      It occurs on multiple devices and channels all of which are configured to clear all but a few cookies on exit and no login cookies are preserved. It is in part a problem with this site as I have had this problem with the old Edge both here and on a few other Microsoft sites. It can be done correctly since some sites work. It seems worse with the new Edge feature which is also broken on https://www.office.com and https://portal.azure.com. https://developer.microsoft.com/en-us/graph/graph-explorer is one site which defaults to the AAD account but prompts for account selection before signing in.
      • josh_bodner's avatar
        josh_bodner
        Former Employee
        May 22, 2021

        rshupak for the settings page crashing when you search, we've actually made a few fixes this week that should make their way into next week's Dev.  A couple of those crashes were only on Mac, and I use Windows machines, so that's likely why I wasn't seeing them.  

         

        As for the SSO behavior, I think I may have initially misunderstood what your problem was.  The setting to "Allow single sign-on for work or school sites using this profile" actually forces SSO using your AAD account when it's turned on since AAD is the same as a work/school account (and thus MSA equals personal).  So, since it sounds like that setting is working as intended, I think the problem is maybe that this website support both kinds of logins, and thus the problem is with the site?  If so, that's feedback you should definitely give to the site.  

Resources