Enabling SSO for Chrome using Intune (Windows)
Updated: Feb 17
SUMMARY: |
Chrome is currently the most popular browser, so we should create a seamless single sign-on experience for our users. By following the steps in this article, users will no longer have to enter their credentials anymore for websites using Entra ID (Azure AD) as the IDP. |
IMPORTANT: |
The steps in this article are to enable SSO with Microsoft Entra ID as the IDP. |
Table of Contents
Prerequisites
Devices must be Entra ID Joined, Hybrid-Joined, or Entra ID Registered.
The Google and Chrome ADMX files must be imported into Intune. Click the link below to learn how: How to Import Google Chrome ADMX Files into Intune
Steps to Enable SSO for Chrome
Launch the Intune Portal.
Navigate to Devices > Windows > Configuration.
Select + Create then + New Policy.
Platform: Windows 10 and later
Profile Type: Templates
Template Name: Imported Administrative Templates (Preview)
Select Create.
Name the deployment and optionally provide a description.
Select the Google folder.
If you don't see the Google folder, follow the steps in the link under the 2nd prerequisite above.
In the search bar, type automatic sign-in.
Select the only search result.
In the right-hand pane:
Select Enabled.
Select Enable Microsoft cloud authentication from the drop-down menu.
Select OK.
Select Next.
Finalize the configuration profile by selecting scope tags (optional), adding the assignment(s), and reviewing/creating it.
Behind the Scenes - How it Works
So, how exactly does SSO work with Chrome? Below is a high-level step-by-step process for how users can experience single sign-on in Chrome once SSO is enabled. Let's first define some terms:
Term | Definition |
|---|---|
PRT | A PRT (primary refresh token) contains the following items: similar claims found in a refresh token, the device's ID, and a session key. The PRT is used to request refresh and access tokens in the background, facilitating SSO for the end user. |
CloudAP | "CloudAP is the modern authentication provider for Windows sign-in, that verifies users logging to a Windows 10 or newer device. CloudAP provides a plugin framework that identity providers can build on to enable authentication to Windows using that identity provider's credentials." -- Microsoft |
CloudAP Plugin | "A Microsoft Entra-specific plugin built on the CloudAP framework that verifies user credentials with Microsoft Entra ID during Windows sign-in." -- Microsoft "During Windows sign-in, the Microsoft Entra CloudAP plugin requests a PRT from Microsoft Entra ID using the credentials provided by the user. It also caches the PRT to enable cached sign-in when the user doesn't have access to an internet connection." -- Microsoft |
Step-by-Step Process
A device receives a PRT. When a device becomes Entra ID Joined, Hybrid Joined, or Entra ID Registered, it receives a PRT (Primary Refresh Token).
Entra ID Joined or Hybrid-Joined: these devices receive a PRT when users log in to their computer.
Entra ID Registered: these devices receive a PRT when users add their work account to their device. For example, when using the Settings app to add a work or school account.
A user opens a browser and navigates to a website that uses Entra ID as the IDP. The browser is redirected to Microsoft's login URL; once it verifies the URL, it needs a token.
The CloudAP Plugin creates a PRT cookie. Since the CloudAP plugin already has the PRT, it can create a PRT cookie without having the user sign in again.
The browser uses the PRT cookie to request an ID token from Microsoft Entra ID.
Microsoft Entra ID sends back an ID Token to the browser. "Microsoft Entra ID validates the Session key signature on the PRT cookie, validates the nonce, verifies that the device is valid in the tenant, and issues an ID token for the web page and an encrypted session cookie for the browser."
The browser signs the user into the website. Since the browser has the ID token, it can sign the user in without the user ever having to provide credentials.
Click here to view Microsoft's step-by-step process.
