Throughout my journey of exploring authentication methods in web browsers, I’ve come across many intriguing aspects. Today, I want to delve into a particular feature that often flies under the radar: Browser Single Sign-On (SSO). Just recently, a user was taken aback when they discovered that after utilising the browser’s Clear browsing data option to wipe everything clean, they still found themselves logged into the Azure Portal app at https://portal.azure.com without needing to enter their username or password. It felt like magic!
So, how does this phenomenon occur? When you choose to clear browsing data, your browser removes all stored cookies. Since authentication tokens are frequently kept in these cookies—as mentioned earlier—this action typically signs you out of most websites. Indeed, if you check your cookie storage now, you’ll find that all cookies for https://portal.azure.com have vanished. In a literal sense, this means you’re no longer logged into Azure.
The Clear Site Data command has its limitations; one notable aspect is that it does not log you out of the browser itself. If you take a look at the Avatar icon in the Edge toolbar, you’ll notice that your profile’s account remains active and signed in. So, when you navigate to https://portal.azure.com, the server responds with confusion, saying, Hmm, I’m not sure who this user is; I should prompt them to log in, which leads to a redirect to the login page. You might expect this page to ask for your username and password.
Indeed, that’s what occurs if you open https://portal.azure.com in a standard Chrome or Edge InPrivate window. However, if you’re using a regular Edge window where you’re logged into your profile or browsing with Chrome equipped with the Windows 10 Accounts extension, things work differently.
In this scenario, when reaching the login.microsoftonline.com page, there’s no need for any username or password input from you. Instead, either Edge or the Chrome extension recognises it as a login request and automatically provides a token on your behalf! Behind the scenes, this token could be sent directly to the identity provider through an HTTP header injected by the browser or passed along via an extension API within JavaScript on that identity provider’s page.
The concept of signing into the browser itself to facilitate Single Sign-On (SSO) is a relatively recent development. It is part of a long-standing tradition of various authentication methods that have been around for many years. These methods include Client Certificate Authentication and Windows Integrated Authentication, with Browser SSO now joining their ranks. The Edge team has put together a helpful documentation page that outlines the different SSO features available, which you can find here.
When users log in using the browser extension, it provides the token instead of requiring a username and password on the login page. This allows the page to recognise that everything is in order and directs users back to portal.azure.com, confirming their identity in the process. The beauty of this system lies in its simplicity. However, one point that often confuses browser SSO is that most browser developers typically enable automatic authentication only for their first-party login pages.
It’s worth noting an important update: this limitation was addressed with Chrome 111. More details can be found below.
Consider the experience of using Microsoft Edge and Google Chrome when it comes to Single Sign-On (SSO). With Edge, you can seamlessly access web services like https://portal.azure.com without needing to log in each time, thanks to its automatic integration with the Microsoft identity provider. In contrast, Google Chrome requires an additional step: SSO through the Microsoft login page is only available if you’ve installed the Chrome Windows 10 account extension.
Now, let’s explore a similar situation within the Google ecosystem. Imagine launching Chrome with your @gmail.com profile. You visit mail.google.com to check your emails. After hitting CTRL + Shift + Delete, you clear all site data and close the browser. Upon restarting and revisiting mail.google.com, you’ll find that you’re still logged in. This happens because your Chrome session keeps you authenticated by providing your identity token directly to Google’s site.
Now shift gears and open Microsoft Edge instead. Navigate to mail.google.com and sign in if necessary; check your inbox as usual. If you then press CTRL + Shift + Delete to clear all site data again and restart the browser before returning to mail.google.com, you’ll notice something different: this time, you need to log in again. The reason behind this is that even though you’re signed into Edge, it doesn’t pass along your identity token to Google’s website.
It’s worth mentioning that Microsoft Edge has policies available for administrators who wish to control whether users can log into the browser itself. If preventing automatic sign-ins—and thus syncing settings like history and credentials—is a priority for you or your organisation, implementing such a policy could be a viable solution.
In Chrome version 111, a feature known as CloudAPAuth was introduced. When this feature is activated on Windows 10, the browser automatically incorporates the headers x-ms-DeviceCredential and x-ms-RefreshTokenCredential into requests directed at the login.microsoftonline.com authentication portal. This functionality is referred to by Chromium as the PlatformAuthenticationProvider.
When enabled and not operating in Incognito Guest mode, a navigation throttle is employed to append the necessary custom headers during navigation to login URLs sourced from the Windows registry or hardcoded in cases where registry keys are absent. Notably, this implementation bears a striking resemblance to code previously developed by the Edge team for similar functionalities several years prior.
As a result, users can achieve Single Sign-On (SSO) authentication for Microsoft websites within Chrome, even in the absence of the Windows Accounts browser extension. It is essential to highlight that both CloudAPAuth and the Windows Accounts extension extend beyond mere user authentication; they also furnish attestations regarding the device’s state, which Conditional Access can use to permit access exclusively to fully patched managed PCs for sensitive websites.
Unlocking easy access with single sign-on (SSO) authentication in Maxthon is a convenient way to streamline your login experience.
Follow these steps to set it up:
1. Download and Install Maxthon: If you still need to do so, download the latest version of the Maxthon browser from the official website and install it on your device.
2. Access Settings: Launch Maxthon and click on the menu icon located at the top-right corner of the browser window. From the drop-down menu, select “Settings.”
3. Navigate to Security Options: In the settings panel, look for a section labelled “Security” or “Privacy.” Click on this option to find your authentication settings.
4. Enable Single Sign-On: Within the security options, locate the toggle for “Single Sign-On Authentication.” Switch it on to enable SSO functionality.
5. Connect Your Accounts: Next, you will need to link your accounts that support SSO. Look for an option like Manage Connected Accounts, where you can add services such as Google, Facebook, or others that offer SSO capabilities.
6. Authenticate Your Accounts: Follow the prompts to log in to each service you’re linking through SSO. Ensure you allow permissions when prompted so that Maxthon can manage your logins seamlessly.
7. Test Your Setup: Once you’ve linked all desired accounts, open a new tab and visit websites that require login credentials covered by your connected accounts. You should be automatically logged in without needing to enter passwords manually.
8. Check for Updates Regularly: To ensure optimal performance and security with SSO integration, periodically check for updates within Maxthon’s settings.
By following these steps, you’ll enjoy simplified access across various platforms using single sign-on authentication in Maxthon!