Forum Discussion
EricStarker
Nov 15, 2017Former Employee
The new Azure AD sign-in and “Keep me signed in” experiences rolling out now!
We're excited to announce that the general availability rollout of the new Azure AD sign-in and “Keep me signed in” experiences has started! These experiences should reach all users globally by the e...
Unnie
Dec 20, 2017Iron Contributor
Current set up
We have SharePoint Online site with auto acceleration enabled. Our Azure AD is federated with on-premise ADFS. We have seamless SSO working in IE where user does not need to type any username password.
Problem statement:
By default, when the user logins in thru IE, only Session cookie is generated, so when the user closes the browser and reopens the user is authenticated again. Also, the new KMSI (Keep me signed In) screen is not displayed to the user during the login experience in IE, so there is no way for user to generate persistent cookie which works across multiple sessions. In chrome, user can see the KMSI screen and hence persistent cookies can be generated.
Questions:
Is there a way by which global admin can configure such that all users by default gets persistent cookies instead of session cookie, so that they don’t even need to click “yes” in KMSI screen?
I saw below blog where it says to create custom claim rule in ADFS to issue Persistent SSO claim. But again, the last line of the blog says “As of right now, AAD does not support SAML based use of the Persistent Single Sign On Claim / SAML attribute.” So, is this blog relevant now?
https://blogs.technet.microsoft.com/sposupport/2017/09/16/cookie-persistence-in-sharepoint-online/
Kelvin Xia
Microsoft
Dec 20, 2017Hi Unnie, thanks for the breakdown.
What are you trying to achieve with persistent cookies? If you have seamless SSO set up, every time your user goes to the Sharepoint site they will SSO automatically, which makes the need for a persistent cookie unnecessary.
What are you trying to achieve with persistent cookies? If you have seamless SSO set up, every time your user goes to the Sharepoint site they will SSO automatically, which makes the need for a persistent cookie unnecessary.
- UnnieDec 20, 2017Iron ContributorIt's the performance . Our home page for IE is SPO based intranet and it loads slowly because of the authentication hops from the site --> Microsoft login --> on-prem ADFS and then the journey back. The user can see the urls changing and it takes a good 8-10 secs every time the browser is opened.
- Kelvin XiaJan 03, 2018
Microsoft
Hi Unnie, you can configure ADFS to pass the Persistent SSO (PSSO) claim so that Azure AD will automatically drop persistent cookies. That should get you what you need. You can find more information about PSSO here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings - Kelvin XiaDec 22, 2017
Microsoft
Thanks for the details. We're going to take a look into this early next year once the team gets back into the office after the holidays.