How does SSO happen SAMAccount Login on laptop and UPN login on Azure AD

Parin 2 Reputation points
2021-02-01T11:26:37.51+00:00

Hi Team,

I wanted to know how Single Sign on work in a scenario as below :

  1. I have a user who has a corporate device and uses SamAccountName to login to that device
  2. User is also synced to Azure AD and uses UPN to login to Azure Applications

Can a Single Sign be achieved automatically after I just enabled it on the Azure AD Connect wizard- i.e.

When the user logs in to his corp laptop using SamAccountName and he opens browsers and opens office.com will the office.com automatically log him in ? ( based on the kerberos ticket acquired earlier ? )

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,556 Reputation points
    2021-02-02T18:12:05.547+00:00

    Hi @Parin Das ,

    Thanks for reaching out.

    Yes, Seamless Single Sign-On can be achieved, when you “Enabled single sign on” through Azure AD Connect wizard as shown below:

    63193-seamless-sso.jpg

    Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) feature, let users automatically signs in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.

    Seamless SSO uses the securityIdentifier claim in the Kerberos ticket of currently Sign-in user to look up the corresponding user object in Azure AD.

    for example:

    -
    • The user uses "SamAccountName" (let say “contoso/joel” ) to login from Corporate device and try to access the Outlook Web App - https://outlook.office365.com/owa/

    • Seamless SSO uses JavaScript in the background, Azure AD challenges the browser, via a 401 Unauthorized response, to provide a Kerberos ticket and then the browser, in turn, requests a ticket from Active Directory

    • The browser forwards the Kerberos ticket it acquired from Active Directory to Azure AD.

    • Azure AD uses the securityIdentifier claim in the Kerberos ticket of currently Sign-in user to look up the corresponding user object ( joel@Company portal .com ) in Azure AD.

    • User experience seamless single sign-on . This article gives you technical details into how the Azure Active Directory Seamless Single Sign-On (Seamless SSO) feature works.

    Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods. Seamless SSO is not applicable to Active Directory Federation Services (ADFS).

    Reference:

    Refer this article to know more about ''What is Azure Active Directory Seamless Single Sign-On'' and "how to deploy Seamless SSO".

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.