-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enterprise automatic authentication techniques #36
Comments
I worked on the native integration of AAD SSO in Chrome (i.e. the CloudAPAuthEnabled policy) and tested the feature using these instructions, so I can chime in. I didn't notice any functional regressions with bounce tracking mitigations enabled. I confirmed that bounce tracking mitigations deletes the Microsoft IdP site state for AAD SSO if the user never interacts with the IdP within the browser (e.g. by navigating to https://portal.azure.com), but the user is automatically re-authenticated and redirected to the signed in page. I didn't dig into the performance impacts, but from manual testing the mitigation doesn't seem to add significant latency to the authentication flow. |
There are a number of ways enterprises may automatically authenticate users on a site:
All of these pose a challenge for bounce tracking mitigations because the user will often be redirected through the authentication domain, but will not need to interact because of the automatic mechanism. This largely looks like tracking to the browser.
That being said, it's unclear how severe the impact of deleting storage for these sites would be. In theory the automatic authentication would simply log the user in again. It seems, plausible that there might be minimal functional breakage but some kind of performance regression.
Also, given these all seem like managed enterprise tools it seems possible that an enterprise policy to specify domains to excempt from bounce tracking mitigations could also be applied. It would be preferable to come up with a more organic way to support these use cases without requiring admin effort, though.
The text was updated successfully, but these errors were encountered: