Forum Discussion
Dev channel update to 92.0.884.2 is live
- josh_bodnerMay 12, 2021Former Employee
rshupak oh and also, for the SSO issue, can you try clearing your cookies and seeing if that helps? If you're signed into Edge with your MSA, you're right that it's what should be used for SSO instead of your AAD account, which makes me think that maybe your AAD credentials are just saved and being used, and so getting rid of them may help.
- rshupakMay 14, 2021Iron Contributor
When AAD SSO is disabled, Edge sends the following, which I elided, on the first request to https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=09213cdc-9f30-4e82-aa6f-9b6e8d82dab3&redirect_uri=https%3A%2F%2Ftechcommunity.microsoft.com%2Fauth%2Foauth2callback&response_type=code&state=https%3A%2F%2Ftechcommunity.microsoft.com%2F&scope=User.Read+openid+email+profile+offline_access
Cookie: ESTSAUTHLIGHT=+00000000-0000-0000-0000-000000000000; ESTSSC=00; esctx=...; x-ms-gateway-slice=estsfd; stsservicecookie=estsfd; brcap=0; ESTSAUTHPERSISTENT=...; ESTSAUTH=...; ch=...; buid=...; fpc=...; clrc={...]}
When AAD SSO is enabled, the Cookie header is not sent but the following is
x-ms-RefreshTokenCredential: ey...n0.ey...d4
It seems that with one or the other, there is no way this can work well for sites that support both AAD AND MSA since they are not provided with both credentials in order to present the user with a choice. As implemented right now, I need to change the Edge setting off to allow signing in with the MSA at all since otherwise the AAD account is selected. Some sites, such as this one, don't even allow a choice after signing out. In contrast, Edge will select AAD with no user choice on https://portal.azure.com/ or https://www.office.com/ but after being signed in you can sign out and then are presented with a choice immediately (portal.azure.com) or for the next sign in (http://www.office.com/)
- rshupakMay 14, 2021Iron ContributorIt occurs on multiple devices and channels all of which are configured to clear all but a few cookies on exit and no login cookies are preserved. It is in part a problem with this site as I have had this problem with the old Edge both here and on a few other Microsoft sites. It can be done correctly since some sites work. It seems worse with the new Edge feature which is also broken on https://www.office.com and https://portal.azure.com. https://developer.microsoft.com/en-us/graph/graph-explorer is one site which defaults to the AAD account but prompts for account selection before signing in.
- josh_bodnerMay 22, 2021Former Employee
rshupak for the settings page crashing when you search, we've actually made a few fixes this week that should make their way into next week's Dev. A couple of those crashes were only on Mac, and I use Windows machines, so that's likely why I wasn't seeing them.
As for the SSO behavior, I think I may have initially misunderstood what your problem was. The setting to "Allow single sign-on for work or school sites using this profile" actually forces SSO using your AAD account when it's turned on since AAD is the same as a work/school account (and thus MSA equals personal). So, since it sounds like that setting is working as intended, I think the problem is maybe that this website support both kinds of logins, and thus the problem is with the site? If so, that's feedback you should definitely give to the site.