Over the years, I’ve written a bunch about authentication in browsers, and today I aim to shed some light on another authentication feature that is not super-well understood: Browser SSO.

Recently, a user expressed surprise that after using the browser’s “Clear browsing data” option to delete everything, when they revisited https://portal.azure.com, they were logged into the Azure Portal app without supplying either a username or a password. Magic!

Here’s how that works.

When you select this option:

When the user next visits https://portal.azure.com, the server says “Hrm, I don’t know who this is, I better get them to log in.” And the user is redirected to a login page.

A user might assume that this page would prompt for their username and password. And that is, in fact, what happens if you launch https://portal.azure.com in a default Chrome or Edge InPrivate browser instance.

But if you’re in a non-Private Edge window logged in with a profile or in a Chrome browser with the Windows 10 Accounts extension installed, that login.microsoftonline.com page doesn’t need to bother the user for a username and password – either the browser (Edge) or the extension (Chrome) just says “Oh, a login page! I know what to do with that – here, have a token!” (Under the hood, the token may be sent to the identity provider via a browser-injected HTTP header, or supplied to the identity provider page’s JavaScript via an extension API.)

Signing in to the browser itself is a relatively new mechanism for enabling “Single Sign On”, a catalog of approaches that have existed in one form or another for decades, including Client Certificate Authentication, Windows Integrated Authentication, and now Browser SSO. The Edge team has a nice documentation page explaining the various SSO features posted here here.

Because the browser/extension supplies the token in lieu of the username / password into the login page, the login page says “Okay, we’re good to go, navigate back to the portal.azure.com page – the user has supplied proof of their identity.”

One factor that can confusing about browser SSO is the fact that vendors tend to only support automatic authentication for their own 1^st party login pages.

Microsoft Edge’s SSO automatically logs into web properties like https://portal.azure.com that rely on the Microsoft identity provider, while Google Chrome only does that if you install the Windows 10 accounts extension.

However, consider the Google version of this scenario:

1. Launch Chrome, using an @gmail.com profile.
2. Visit mail.google.com and look at your email
3. Hit CTRL+Shift+Delete and use the dialog to Clear Site Data for all time
4. Close the browser
5. Restart the browser
6. Visit mail.google.com and observe: You’re still logged in.
   Why? Because you’re logged into Chrome, and it supplies your browser identity token to Google’s website.

Now,

1. Launch Edge.
2. Visit mail.google.com, sign in if needed, and look at your email
3. Hit CTRL+Shift+Delete and use the dialog to Clear Site Data for all time
4. Close the browser
5. Restart the browser
6. Visit mail.google.com and observe: You have to log in again.
   Why? Because while you’re logged into Edge, Edge doesn’t supply your browser identity token to Google’s website.

Microsoft Edge does offer policies to control whether users may log into the browser itself.

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-2022, working on Office, IE, and Edge. Now a SWE on Microsoft Defender Web Protection. My words are my own, I do not speak for any other entity. View more posts