Forum Discussion

bglmarks's avatar
bglmarks
Copper Contributor
Jan 05, 2020

SSO to Office 365 with Chrome

I am having a heck of a time trying to understand why SSO with Chrome is no longer working.    We are federated and Auth works with Edge and IE, WIASupportedUserAgents are configured and SSO works ...
Authentication
hybrid
office 365
Claus Witjes's avatar
Claus Witjes
Brass Contributor
Jan 25, 2020

bglmarks 

Just a few ideas, not sure if this is really related to the issues you describe or better saying hard to say without traces ;).

 

Possibility 1:

There have been recent changes in the Chrome security model (related to cookie handling) which basically impacts multi Microsoft cloud endpoints.

 

Microsoft article:

https://docs.microsoft.com/en-us/office365/troubleshoot/miscellaneous/chrome-behavior-affects-applications

 

See recommendations in this article if using ADFS for federated authentication

 

Ping Identity summarizes this:

https://support.pingidentity.com/s/question/0D51W00007WSOmpSAH/google-chrome-vsn-80-new-browser-security-model-may-impact-sso

 

So depending on your IDP (you mentioned federated authentication) you might have to run some updates.

 

Possibility 2:

Depending on your setup, but in most environments the user/browser requests a Kerberos ticket to authenticate against the federation service. There might be an issue... one easy way to check on the client if there is a valid ticket is the klist command-line tool, which will show you all cached tickets.

If there is no ticket, either the request to the domain controller failed, or some browser settings.. like the IDP url is not in your trusted sites config.. etc.

 

Possibility 3:

You have a conditional access control in place which requires a managed device or AAD hybrid joined device. In this case you need the MS Accounts extension installed in the Chrome browser and the device must be either ADD Hybrid joined, or Intune managed.

 

hth,

 

Claus

 

 

 

Resources