Introduction to Seamless SSO
Password Hash Synchronization or pass-through authentification allow users to use same user name and password to log in to cloud applications but this is not a “Seamless” access. Even they are using same user name and password, when log in to Azure workloads it will prompt for password.
Azure AD Seamless SSO automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don’t need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames.
- How does it work. Seamless SSO is enabled using Azure AD Connect. Once enabled, it create a computer account named
AZUREADSSOACC.The computer account’s Kerberos decryption key is shared securely with Azure AD. Two Kerberos service principal names (SPNs) are created to represent two URLs that are used during Azure AD sign-in.
- Considerations. Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods. Seamless SSO is not applicable to Active Directory Federation Services (ADFS). Seamless SSO needs the user’s device to be domain-joined, but doesn’t need for the device to be Azure AD Joined.
- Deployment. Can be rolled out to some or all your users using Group Policy.
- Features. 1) Seamless SSO is opportunistic, which means if it fails, the sign-in experience falls back to its regular behavior – i.e, the user needs to enter their password to sign in. 2) It is supported on web browser-based clients and Office clients that support modern authentication on platforms and browsers capable of Kerberos authentication with some extra manual configurations for some of them. 3) Office 365 Win32 clients (Outlook, Word, Excel, and others) with versions 16.0.8730.xxxx and above are supported using a non-interactive flow
1. User is accessing the application URL using his browser. He is doing it using his domain joined device in corporate network.
2. If user is not sign in already, it is pointed to Azure AD sign in page and then user type his user name.
3. Azure AD challenge back user via browser using 401 response to provide Kerberos ticket.
4. Browser request a Kerberos ticket for AZUREADSSOACCT computer object from on-premises AD. This account will be created in on premise AD as part of the process in order to represent Azure AD.
5. On-premises AD locate the AZUREADSSOACCT computer object and return the Kerberos ticket to the browser encrypted using computer object’s secret.
6. The browser forwards Kerberos ticket to Azure AD.
7. Azure AD decrypts the Kerberos ticket using Kerberos decryption key (This was shared with azure AD when SSO feature enable)
8. After evaluation, Azure AD pass the response back to the user (if required additional steps such as MFA required).
9. User allowed to access the application.
Roll over the Seamless SSO Kerberos decryption key
It is important to frequently roll over the Kerberos decryption key of the AZUREADSSOACC computer account (which represents Azure AD) created in your on-premises AD forest. We highly recommend that you roll over the Kerberos decryption key at least every 30 days to align with how Active Directory domain members submit password changes. As there is no associated device attached to the AZUREADSSOACC computer account object the roll over needs to be performed manually.
Follow these steps on the on-premises server where you are running Azure AD Connect to initiate the rollover of the Kerberos decryption key.
What is the difference between the single sign-on experience provided by Azure AD Join and Seamless SSO?
Azure AD Join provides SSO to users if their devices are registered with Azure AD. These devices don’t necessarily have to be domain-joined. SSO is provided using primary refresh tokens or PRTs, and not Kerberos. The user experience is most optimal on Windows 10 devices. SSO happens automatically on the Edge browser. It also works on Chrome with the use of a browser extension.
You can use both Azure AD Join and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO from Azure AD Join takes precedence over Seamless SSO.