Open Perdjesk opened 3 years ago
Could be solved by a resolution of https://github.com/mozilla/multi-account-containers/issues/318 allowing to change SSO settings per container.
@Perdjesk Is this about the Windows SSO option?
I am not sure what "Windows SSO option" refers to. Is it https://support.mozilla.org/en-US/kb/windows-sso?
If that's the case then I do not known how this feature/option works and how it integrates with Windows. From the look of it the above option is related with network.http.windows-sso.enabled
configuration.
The original issue is about SPNEGO SSO and related configurations network.negotiate-auth.*
which according to MDN archived docs leverage OS system libraries to provided user's identity and thus should work on
Microsoft Windows, [...] Linux, Mac OSX, and other UNIX-like
However this feature request could be rework to encompass all types of single sign-on available as the main idea to be able to have per container configuration for SSO is shared.
I moved it upstream so the right person can decide if it can be implemented alongside #2393 or not. See https://bugzilla.mozilla.org/show_bug.cgi?id=1810538.
All the following SSO types in main browser are considered:
Actual behavior
When SSO configuration is done in main browser the SSO flow (specific to each implementation) will be done in every container against the identity offered by the host machine.
Expected behavior
It would be beneficial to be able to choose per Firefox container whether to use SSO or not. This would permit to use Firefox containers without SSO authentication to dissociate from the identity offered by the host machine.
Discussions, workarounds
Example Windows SSO with multiple Azure AD/365 tenants:
Private browsing behavior
The Windows SSO seems to be never used in private browsing nsHttpChannel.cpp#424. The SPNEGO SSO can be enabled in private browsing by using the configuration flag
network.auth.private-browsing-sso=true
It might be a slight discrepancy to not have included the Windows/Win32API SSO as part of the flag
network.auth.private-browsing-sso
.