As @Owen Min<mailto:z...@chromium.org> said, IDP registered in OS.
- Is there at most one IDP for a profile? / In one Windows logon session there can be multiple IDP urls associated with different clouds, global cloud, China cloud, and also consumer cloud. Per Profile there can be multiple IDPs. Thank you, Sasha From: Owen Min <z...@chromium.org> Sent: Friday, September 24, 2021 3:24 PM To: Yutaka Hirano <yhir...@google.com> Cc: blink-dev <blink-dev@chromium.org>; Sasha Tokarev <alex...@microsoft.com>; Greg Thompson <g...@chromium.org>; Matt Menke <mme...@chromium.org>; Ryan Sleevi <rsle...@chromium.org>; Adam Langley <a...@chromium.org> Subject: [EXTERNAL] Re: [blink-dev] Re: Native support of Windows SSO in Chrome You don't often get email from z...@chromium.org<mailto:z...@chromium.org>. Learn why this is important<http://aka.ms/LearnAboutSenderIdentification> Answer inline. Sasha and Greg, feel free to correct me or add more things if you want. On Fri, Sep 24, 2021 at 1:27 AM Yutaka Hirano <yhir...@google.com<mailto:yhir...@google.com>> wrote: I have some questions. - Is the proposal that Chrome detects such a redirect and sends an authentication request to IDP? Browser detects the access of IDP URL(https://login.microsoftonline.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogin.microsoftonline.com%2F&data=04%7C01%7Calextok%40microsoft.com%7C556f27a84dc74464e78e08d97faa0c96%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637681190657478260%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cmRqASVehjSxUqMOY27cAw3OxcL1mLyzrPmoYEuOMcw%3D&reserved=0>) and appends a cookie which gets from the OS to that request. - Is there at most one IDP for a profile? / - How is IDP registered to Chrome? IDPs are registered with the OS. And the browser gets both IDP urls (see CloudApPlatformWin::ReadOrigins<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchromium-review.googlesource.com%2Fc%2Fchromium%2Fsrc%2F%2B%2F3147471%2F10%2Fcontent%2Fbrowser%2Fnet%2Fcloud_ap%2Fcloud_ap_platform_win.cc%23399&data=04%7C01%7Calextok%40microsoft.com%7C556f27a84dc74464e78e08d97faa0c96%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637681190657488255%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=yRSdmucNgrhggODLeKX3IvQvtfuvo0ZNJsorc1uPF4U%3D&reserved=0>) and cookies from the OS. Thanks, On Fri, Sep 24, 2021 at 6:18 AM Owen Min <z...@chromium.org<mailto:z...@chromium.org>> wrote: +people who may be interested in this. On Thursday, September 23, 2021 at 12:21:51 PM UTC-4 Sasha Tokarev wrote: Hi all, I have a proposal to integration with Windows SSO in Chrome. Currently Windows has ability to join device to cloud identity, like AAD, MSA. When a device is joined to a cloud identity provider (IDP), it would be great if I'm as a user do not need enter credentials, when I'm using a service, which uses IDP where my device is joined to. I'm consented to have single sign on (SSO) when I joined the device, and trust IDP to protect my identity and do not allow an authorized access. If I do not trust, I should not join my device. Additionally, sometimes web resources, that I'm accessing to as a user, are owned by organization where I work or study. Hence, an organization administrator should be able to manage access to such resources based on the quality of my device, e.g., prevent access if the device doesn't make malware scans or doesn't have latest security patches etc. Edge has this feature built in, in Chrome we must use a special extension https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchrome.google.com%2Fwebstore%2Fdetail%2Fwindows-10-accounts%2Fppnbnpeolgkicgegkbkbjmhlideopiji&data=04%7C01%7Calextok%40microsoft.com%7C556f27a84dc74464e78e08d97faa0c96%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637681190657498247%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=dW13qaXD0Rc0llwQHlUR4PDrxNjZkdf2oZ%2FmuJFMgvo%3D&reserved=0> While using extension works, the built-in experience is better, as we have with Windows Integrated authentication. In high level it should work like this, if I'm accessing to a resource, from a joined device. 1. Resource (e.g., www.mywork.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mywork.com%2F&data=04%7C01%7Calextok%40microsoft.com%7C556f27a84dc74464e78e08d97faa0c96%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637681190657498247%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6rqBLE8dQhorw2dB3YWSYYf91aDEcoq6XlB%2BwfXsN1A%3D&reserved=0>) will redirect me for the authentication to the cloud identity provider(https://login.microsoftonline.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogin.microsoftonline.com%2F&data=04%7C01%7Calextok%40microsoft.com%7C556f27a84dc74464e78e08d97faa0c96%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637681190657508241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=f%2Btc2p9xLQt3QcpeSnWqZZualbcWP%2BmbAtKLYf2b4Mk%3D&reserved=0>). The request will have a redirect URI that IDP will use to return a token. 2. User agent (Chrome) will detect this navigation and call an OS API for producing a crypto-protected SSO cookies, which has device and user information. This cookie will be appended to the request as a header or cookie. 3. Cloud identity provider ( https://login.microsoftonline.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogin.microsoftonline.com%2F&data=04%7C01%7Calextok%40microsoft.com%7C556f27a84dc74464e78e08d97faa0c96%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637681190657508241%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=f%2Btc2p9xLQt3QcpeSnWqZZualbcWP%2BmbAtKLYf2b4Mk%3D&reserved=0> ): * Detects presence of the SSO cookies, validates them by checking signature, and authenticates the user and device. * Validates that the supplied redirect uri is registered for this application. * Validates if the resource owner (enterprise admin or user) authorizes access to the resource. * Applies consent policy and ask consent if needed, for example enterprises, when they own the resource can pre-consent access by their employees. Note, It is responsibility of IDP to ensure that only authorized and consented applications can access users' identity. * Read device identity, and checks the state of device, that reported out of band by device management system. * If all checks are fine, the IDP redirect back to the resource with a token. 1. User agent (Chrome) should not do much, just to make sure it will not include SSO headers (as in case of some HTTP Redirects user-agent repeats the same headers) and cookies to the resource, to prevent its disclosure. 2. Resource gets the token and provides service to the user. Note, a malicious web site will not be able to access user identity without explicit user consent, and if it is an enterprise account, then it should check admin authorization for this application. One may think that if we have SSO, now we need to think about protection from malicious web sites. However, this issue is not relevant to SSO, as if a user has either MSA or AAD, most likely she or he will enter credentials at some moment, and IDP will store persistent cookie. As a result, IDP still needs to protect from a malicious web site, that is why all protocols that use redirection has special handling for such cases, i.e. the IDP must redirect on initially pre-registered for this client redirect URI https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc6749%23section-3.1.2&data=04%7C01%7Calextok%40microsoft.com%7C556f27a84dc74464e78e08d97faa0c96%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637681190657518239%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2CBRAIserepAFUsMMZdtMaHgSRKU5stUiyX9HzIorj4%3D&reserved=0> SSO itself reduces number of prompts, OS cookies are hardware crypto protected and short-lived, while protection of web-cookies is lower. Integration with OS SSO not just a convenience feature but increases users' security. Thank you, Aleksandr -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org<mailto:blink-dev+unsubscr...@chromium.org>. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bc1fb9ba-2951-4d59-aec1-aed2e88fd584n%40chromium.org<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fchromium.org%2Fd%2Fmsgid%2Fblink-dev%2Fbc1fb9ba-2951-4d59-aec1-aed2e88fd584n%2540chromium.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=04%7C01%7Calextok%40microsoft.com%7C556f27a84dc74464e78e08d97faa0c96%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637681190657518239%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OMvV41YdxsQrJBQtJV86hWvC9ZEH8b98FKnY%2BSYm5BE%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/SN6PR00MB03814A0466F9FC3F8B654EA6A1A59%40SN6PR00MB0381.namprd00.prod.outlook.com.