Enterprise automatic authentication techniques

[wanderview]

There are a number of ways enterprises may automatically authenticate users on a site:

• Browser extensions (e.g. the Windows Accounts extension)
• TLS certs installed via MDM
• Native integration of authentication mechanisms in the browsers (AAD, etc)

All of these pose a challenge for bounce tracking mitigations because the user will often be redirected through the authentication domain, but will not need to interact because of the automatic mechanism. This largely looks like tracking to the browser.

That being said, it's unclear how severe the impact of deleting storage for these sites would be. In theory the automatic authentication would simply log the user in again. It seems, plausible that there might be minimal functional breakage but some kind of performance regression.

Also, given these all seem like managed enterprise tools it seems possible that an enterprise policy to specify domains to excempt from bounce tracking mitigations could also be applied. It would be preferable to come up with a more organic way to support these use cases without requiring admin effort, though.

[iruvinov]

I worked on the native integration of AAD SSO in Chrome (i.e. the CloudAPAuthEnabled policy) and tested the feature using these instructions, so I can chime in.

I didn't notice any functional regressions with bounce tracking mitigations enabled. I confirmed that bounce tracking mitigations deletes the Microsoft IdP site state for AAD SSO if the user never interacts with the IdP within the browser (e.g. by navigating to https://portal.azure.com), but the user is automatically re-authenticated and redirected to the signed in page.

I didn't dig into the performance impacts, but from manual testing the mitigation doesn't seem to add significant latency to the authentication flow.