Enabling SSO for Firefox using Intune (Windows)
- Gareth Oxendine
- Feb 17
- 3 min read
Updated: Mar 9
SUMMARY: |
Want to create a seamless sign-in experience for your users? By following the steps in this article you can learn how to enable Single Sign-On (SSO) for Firefox using Intune so users will no longer have to enter their credentials for websites using Entra ID (Azure AD) as their IDP. |
IMPORTANT: |
The steps in this article are to enable SSO with Microsoft Entra ID as the IDP. |
Table of Contents
Prerequisites
Devices must be Entra ID Joined, Hybrid-Joined, or Entra ID Registered.
The Mozilla and Firefox ADMX files must be imported into Intune. Click the link below to learn how: How to Import Mozilla Firefox ADMX Files into Intune
Steps to Enable SSO for Firefox
Launch the Intune Portal.
Navigate to Devices > Windows > Configuration.
Select + Create then + New Policy.
Platform: Windows 10 and later
Profile Type: Templates
Template Name: Imported Administrative Templates (Preview)
Select Create.
Name the deployment and optionally provide a description.
Select the Mozilla folder.
If you don't see the Mozilla folder, follow the steps in the link under the 2nd prerequisite above.
In the search bar, type Windows SSO.
Select the only search result.
In the right-hand pane:
Select Enabled.
Select OK.
Select Next.
Finalize the configuration profile by selecting scope tags (optional), adding the assignment(s), and reviewing/creating it.
Behind the Scenes - How it Works
So, how exactly does SSO work with Firefox? Below is a high-level step-by-step process for how users can experience single sign-on in Firefox once it is enabled. Let's first define some terms:
Term | Definition |
|---|---|
PRT | A PRT (primary refresh token) contains the following items: similar claims found in a refresh token, the device's ID, and a session key. The PRT is used to request refresh and access tokens in the background, facilitating SSO for the end user. |
CloudAP | "CloudAP is the modern authentication provider for Windows sign-in, that verifies users logging to a Windows 10 or newer device. CloudAP provides a plugin framework that identity providers can build on to enable authentication to Windows using that identity provider's credentials." -- Microsoft |
CloudAP Plugin | "A Microsoft Entra-specific plugin built on the CloudAP framework that verifies user credentials with Microsoft Entra ID during Windows sign-in." -- Microsoft"During Windows sign-in, the Microsoft Entra CloudAP plugin requests a PRT from Microsoft Entra ID using the credentials provided by the user. It also caches the PRT to enable cached sign-in when the user doesn't have access to an internet connection." -- Microsoft |
Step-by-Step Process
A device receives a PRT. When a device becomes Entra ID Joined, Hybrid Joined, or Entra ID Registered, it receives a PRT (Primary Refresh Token).
Entra ID Joined or Hybrid-Joined: these devices receive a PRT when users log in to their computer.
Entra ID Registered: these devices receive a PRT when users add their work account to their device. For example, when using the Settings app to add a work or school account.
A user opens a browser and navigates to a website that uses Entra ID as the IDP. The browser is redirected to Microsoft's login URL; once it verifies the URL, it needs a token.
The CloudAP Plugin creates a PRT cookie. Since the CloudAP plugin already has the PRT, it can create a PRT cookie without having the user sign in again.
The browser uses the PRT cookie to request an ID token from Microsoft Entra ID.
Microsoft Entra ID sends back an ID Token to the browser. "Microsoft Entra ID validates the Session key signature on the PRT cookie, validates the nonce, verifies that the device is valid in the tenant, and issues an ID token for the web page and an encrypted session cookie for the browser."
The browser signs the user into the website. Since the browser has the ID token, it can sign the user in without the user ever having to provide credentials.
Click here to view Microsoft's step-by-step process.