How Azure AD Seamless Single Sign-On (SSO) Works?

There are 3 different methods which we can use to integrate on-premises Active Directory with Azure AD. 

• Pass Password hash synchronization

• Federation using Microsoft AD FS or PingFederate

• Pass-through Authentication 

All above methods allow on-premises users to use their existing domain user names and passwords in order to authenticate in to Azure AD integrated services. However, even users can use same user name and passwords, when they access Azure AD integrated services from corporate device (Domain member), they still have to authenticate via sign in page. Azure AD Seamless SSO allow users to access Azure AD integrated services via corporate devices without re-authentication. Azure AD Seamless SSO can use with password hash synchronization and pass-through authentication method. It is not supported to use with federated authentication method (AD FS already capable of provide SSO).

• Azure AD Seamless SSO feature can enable via Azure AD connect. So, it is not required any additional component in environment. 

• This is a free feature. We do not need to pay anything for it.

• Azure AD Seamless SSO works only in domain-joined devices (no need to be Azure AD join)

• If SSO process is fail for any reason, user can still authenticate using user name and password.

• It is supported to work with browser-based web applications and Office 365 clients with app versions 16.0.8730 and above.

• Azure AD Seamless SSO accepts user names as value associated with userPrincipalName attribute or Azure AD connect Alternate ID attribute. 

• Azure AD Seamless SSO uses the securityIdentifier claim in the Kerberos ticket to find the relevant user object in Azure AD.

• Once Azure AD Seamless SSO is enabled, if an application can forward domain_hint (OpenID Connect) or whr (SAML) parameter to identify tenant and login_hint (OpenID Connect) parameter to identify user, we can log in to Azure AD without typing user names. It is also possible if the application uses unique URL and pass the domain info or tenant info. 

• Once user is logged in via SSO, if required user can still sign out and log in as a different user at any time. 

Let’s go ahead and see how Azure AD Seamless SSO works during the authentication process. 

In above example, User is trying to access their company web portal using Domain Joined PC. This is hybrid setup and Company already have Azure AD Seamless SSO enabled via Azure AD connect. 

 

1. User type https://www.office.com in browser installed in corporate device and press enter. 

2. User is redirected to Azure AD sign in page.

3. The web application is not passing any domain info or tenant info, so user is typing username in to the Azure AD sign in page. 

4. Azure AD challenge browser via a 401 unauthorized response to provide a valid kerberos ticket.   

5. The browser in the computer then request a Kerberos ticket for AZUREADSSOACC computer account. This account is created in on-premises Active Directory (AD) when Azure AD connect is first configured for Azure AD Seamless SSO. This object represents the Azure AD. 

6. On-premises AD response with the Kerberos ticket for AZUREADSSOACC computer account. This is encrypted with computer account’s secret. 

7. Browser response back to Azure AD with the encrypted Kerberos ticket. 

8. Azure AD decrypts the Kerberos key using its decryption key. This key was shared with Azure AD when Azure AD Seamless SSO is first enabled on Azure AD connect. 

9. If it is valid ticket, Azure AD return a token back to browser by accepting access.

10. User successfully log in to company portal without typing the password again. 

 

We can simply enable this feature via Azure AD Connect.