search

mozilla / multi-account-containers

Firefox Multi-Account Containers lets you keep parts of your online life separated into color-coded tabs that preserve your privacy. Cookies are separated by container, allowing you to use the web with multiple identities or accounts simultaneously.
https://addons.mozilla.org/firefox/addon/multi-account-containers/
Mozilla Public License 2.0
2.72k stars 341 forks source link

Add ability to enable SSO (SPNEGO) per container. #1966

Open Perdjesk opened 3 years ago

Perdjesk commented 3 years ago

All the following SSO types in main browser are considered:

Actual behavior

When SSO configuration is done in main browser the SSO flow (specific to each implementation) will be done in every container against the identity offered by the host machine.

Expected behavior

It would be beneficial to be able to choose per Firefox container whether to use SSO or not. This would permit to use Firefox containers without SSO authentication to dissociate from the identity offered by the host machine.

Discussions, workarounds

Example Windows SSO with multiple Azure AD/365 tenants:

Private browsing behavior

The Windows SSO seems to be never used in private browsing nsHttpChannel.cpp#424. The SPNEGO SSO can be enabled in private browsing by using the configuration flag network.auth.private-browsing-sso=true

It might be a slight discrepancy to not have included the Windows/Win32API SSO as part of the flag network.auth.private-browsing-sso.

Perdjesk commented 3 years ago

Could be solved by a resolution of https://github.com/mozilla/multi-account-containers/issues/318 allowing to change SSO settings per container.

dannycolin commented 1 year ago

@Perdjesk Is this about the Windows SSO option?

Perdjesk commented 1 year ago

I am not sure what "Windows SSO option" refers to. Is it https://support.mozilla.org/en-US/kb/windows-sso?

If that's the case then I do not known how this feature/option works and how it integrates with Windows. From the look of it the above option is related with network.http.windows-sso.enabled configuration.

The original issue is about SPNEGO SSO and related configurations network.negotiate-auth.* which according to MDN archived docs leverage OS system libraries to provided user's identity and thus should work on

Microsoft Windows, [...] Linux, Mac OSX, and other UNIX-like

However this feature request could be rework to encompass all types of single sign-on available as the main idea to be able to have per container configuration for SSO is shared.

dannycolin commented 1 year ago

I moved it upstream so the right person can decide if it can be implemented alongside #2393 or not. See https://bugzilla.mozilla.org/show_bug.cgi?id=1810538.