This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 47%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
In my application, silent SSO sign-in isn't working as expected. When I log in on one tab and then open a new tab, I get the following error: no_account_error: No account object provided to acquireTokenSilent and no active account has been set. The error is occurring when I call the acquireTokenSilent function and as a result is making me login again. The relevant code is below. Also to note I'm using session storage as well
const response = await this.msalService.instance.handleRedirectPromise();
if(response!== null && response.account !== null) {
this.msalService.instance.setActiveAccount(response.account);
return
}
const accounts = this.msalService.instance.getAllAccounts();
if(accounts.length > 0) {
this.msalService.instance.setActiveAccount(accounts[0]);
}
const silentRequest = {
scopes: ["User.Read"],
}
const result = this.msalService.acquireTokenSilent(silentRequest).subscribe({
next: (result) => {
console.log("acquireTokenSilent response:", result);
},
error: (error) => {
console.error("acquireTokenSilent error:", error);
this.loginRedirect({})
}
})
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hello Ahmad Mujeeb, This behavior is expected.
When the browser is completely closed, the MSAL cache is deleted when utilizing sessionStorage. There is no cached account after reopening the browser, which leads to: No account object was supplied to acquireTokenSilent.An account in the MSAL cache is necessary for acquireTokenSilent(). It cannot automatically use the Entra ID session if there is no account.
To enable SSO following a browser restart:
localStorage.ssoSilent() (or loginRedirect()) when the program launches.Restart SSO cannot be accomplished with sessionStorage alone. By design, MSAL.js is meant to behave in this way.
Let me know if any further queries - feel free to reach out!
Hello Ahmad Mujeeb Following up to see if the above provided information was helpful. If you have any further queries do let us know.
I think that u can’t caz the iframe only reads it if the IDP allows 3rd‑party cookies.
so are you saying from your point of view there's no way to solve this problem?
I mean… silent SSO only works if MSAL still has its acct cache and the iframe can read the IDP cookie, and we just can’t push those from the app side…
Is there any workaround for this? There has to be a way to keep SSO working even after the user closes the browser and comes back later, so they don't have to log in again — right? Like it doesn't even have to be through silent SSO but still there must be another way right?
Also another thing I found is if I replace aquireTokenSilent with ssoSilent it will keep the session going even when I open a new tab. But when I close the browser and reopen the browser it will still error and say "A silent sigin-in request was sent but no user is signed in"
I think that ssoSilent works across tabs only cuz the IDP cookie is still around… once u close the browser the sessionStorage cache + the cookie context are both gone, so msal has nothing to run silent with. if u need it to survive a full restart u kinda have to move the cache to localStorage.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
By default msal stores token in session cache which is not shared between tabs. You must configure msal to to use local storage instead which is shared:
https://learn.microsoft.com/en-us/entra/msal/javascript/browser/caching
Even if I used localStorage, closing and reopening the browser would still prompt me to log in again, so it wouldn't be true SSO. That's why I was looking into silent SSO as a solution
I think silent SSO wont hold on sessionStorage and u need localStorage + a tiny BroadcastChannel ping to pre-hydrate the acct ctx or MSAL stays blind. sorry if i was wrong.
Hi, thanks for getting back to me! I just wanted to clarify, as I think there may have been a slight misunderstanding. I'm not looking to use Local Storage at all — only Session Storage. The reason I'd like to implement silent SSO is so that if a user closes and reopens the browser, they're automatically logged back in without needing to login again. Hope that clears things up!
I get u now… but...I think sessStorage clears on close so MSAL has no acct ctx for silent SSO. u’d need localStorage/cookie to keep login after restart.
I was thinking about how to use the Entra ID session cookie for silent token acquisition through the acquireTokenSilent function, but I'm not sure how to do it. Do you know what next steps I can take to get SSO working with Azure, so that when a user closes the browser and comes back later, they are still logged in? Right now in my code I'm just getting the error listed above
msal cant realy use the entraid sess-cookie by itself, so after browser close theres no acct ctx left. to keep restart-SSO u need some persistantt cache (localStorage/cookie/redirect flow), sessStorage alone just cant hold it.
just to add.. entraID sess-cookie only works in redirect/iframe; acquireTokenSilent never hits the IDP so it cant use it, and w/o the msal acct cache silent SSO is basicaly impossible I think.
But if I use localstorage once you close the browser and open the browser again it would make me login again and show that error again of.
no_account_error: No account object provided to acquireTokenSilent and no active account has been set.
Like how exactly would I then do silent SSO then?
silent SSO won’t survive a restart since MSAL has no acct until a redirect/iframe login reads the IDP cookie, so localStorage can’t stop the no_account_error.
so how do I get the iframe to read the IDP cookie?