cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSO to Office 365 with Chrome

bglmarks
Copper Contributor

‎Jan 04 2020 07:15 PM

‎Jan 04 2020 07:15 PM

SSO to Office 365 with Chrome

I am having a heck of a time trying to understand why SSO with Chrome is no longer working. 

 

We are federated and Auth works with Edge and IE, WIASupportedUserAgents are configured and SSO works if I use this address

 

https://portal.office.com?domain_hint=domain.com

 

If we hit https://portal.office.com I am requested to choose my identity and then it signs us on. One other details is we are using Alternate login ID's for Auth.

Labels:
27.6K Views
0 Likes
1 Reply
Reply
1 Reply
Claus Witjes

‎Jan 25 2020 01:23 AM

‎Jan 25 2020 01:23 AM

Re: SSO to Office 365 with Chrome

@bglmarks 

Just a few ideas, not sure if this is really related to the issues you describe or better saying hard to say without traces ;).

 

Possibility 1:

There have been recent changes in the Chrome security model (related to cookie handling) which basically impacts multi Microsoft cloud endpoints.

 

Microsoft article:

https://docs.microsoft.com/en-us/office365/troubleshoot/miscellaneous/chrome-behavior-affects-applic...

 

See recommendations in this article if using ADFS for federated authentication

 

Ping Identity summarizes this:

https://support.pingidentity.com/s/question/0D51W00007WSOmpSAH/google-chrome-vsn-80-new-browser-secu...

 

So depending on your IDP (you mentioned federated authentication) you might have to run some updates.

 

Possibility 2:

Depending on your setup, but in most environments the user/browser requests a Kerberos ticket to authenticate against the federation service. There might be an issue... one easy way to check on the client if there is a valid ticket is the klist command-line tool, which will show you all cached tickets.

If there is no ticket, either the request to the domain controller failed, or some browser settings.. like the IDP url is not in your trusted sites config.. etc.

 

Possibility 3:

You have a conditional access control in place which requires a managed device or AAD hybrid joined device. In this case you need the MS Accounts extension installed in the Chrome browser and the device must be either ADD Hybrid joined, or Intune managed.

 

hth,

 

Claus

 

 

 

0 Likes
Reply