Single Sign On in Office 365-SharePoint Online by bypassing Home Realm Discovery page

This blog explains techniques to acheive single sign on in your office 365 tenant by bypassing Office 365 Home realm discovery(a.k.a HRD–> https://login.microsoftonline.com ) page.If your Office 365 setup does not have the following setup then this blog does not apply to you:

  1. AAD with Federated identity with third party Identity provider such as ADFS/CA Siteminder etc. If you are unsure about what “Federated identity” means please go through this post.

What is the default experience?

For all the tenants with federated identity the default experience is as below:

  1. Users navigates to https://portal.office.com or to any SharePoint site. Let’s say : https://mytenant.sharepoint.com.
  2. At this point, if the user is not logged in already he/she will be redirected to https://login.microsoftonline.com/. This is also called s the HRD page for Office 365.At this moment the user will be asked to type in his email or phone (typically most users authenticate with email). So user types in the email.
Screen Shot 2017-08-29 at 20.09.24.png

3. Now as soon as the user types in the email and clicks outside the textbox or uses tab, since the identity registered with that email is a federated identity, the user will be redirected to the identity provider login page. Let’s consider on-premise ADFS for this example:Here user’s email id will be prepopulated on load and user needs to type in the password and once successfull user will be redirect back to portal.office.com or to the original resource user was trying to access. Now if user is accessing this page in the same domain joined computer, then user will be auto logged in using the windows login account (user need not enter password here) and redirected back to the original resource.

Screen Shot 2017-08-29 at 20.31.15

What does this blog help you solve?

This blog is all about techniques to enable single sign on and improving the user experience  by bypassing the login.microsoftonline page and enable user requests to reach directly to your ADFS and then back to the original requested resource. So in this way when the user tries to access: https://mytenant.sharepoint.com or tries to go to Office 365 home (ie https://portal.office.com) he will be automatically logged in without having to type in username & password in any of the pages mentioned above (only when connecting through same domain computers).

What are the solutions?

Okay now let’s look at the two options to achieve this. Please bear in mind that each option applies to specific scenarios and there is no silver bullet (yes, there is now Azure AD Pass-through Authentication) which fits all use cases.

1. Azure AD Pass-through Authentication (Recommended):

This is the newest addition to authentication methods in Azure. Here instead of having an ADFS , you will need to install a Pass-through authentication agent in your on-premise environment. This agent will validate the user credentials directly against the on-premises Active Directory. This is the preferred way to move ahead as it provides better user experience i.e seamless authentication when inside organisation network and users (both internal + guest users) will be shown the login page when accessing from outside of your network.

One of other key advantages with this method is that you don’t have to configure auto-acceleration, thus Guest users won’t be accelerated to ADFS page but they will be displayed the login page since they are accessing from outside your organisation network.

Read more about Pass-through authentication 

Azure AD Pass-through Authentication

2. Auto-Acceleration:Auto acceleration is a technique which can be used to bypass the HRD page (login.microsoftonline) when user tries to access any SharePoint Online pages or SharePoint Online admin center pages. This technique only applies to SharePoint Online /SharePoint Online admin center and does NOT support any other office 365 product pages like https//portal.office.com etc. Also this technique is NOT  recommended if you have multiple identity providers for your tenant.

Enabling Auto-Acceleration

You need to run below powershell command.

Set-SPOTenant –SignInAccelerationDomain “yourdomain.com”
To disable the auto-acceleration, run below command:
Set-SPOTenant –SignInAccelerationDomain “”

Limitations

  1. Auto-Acceleration will work only for those site collections that has external sharing disabled. If you wish to auto-accelerate the sites where external sharing is enabled, then you need to enable GuestSignInAcceleration by running below commands:
    Set-SPOTenant -EnableGuestSignInAcceleration $true

    To disable it run below command:

    Set-SPOTenant -EnableGuestSignInAcceleration $false
  2.  If you enable auto-acceleration for Guest accounts , then you must configure the identity provider login page to support guest user login, which means it should have some option for guest users to click through and navigate to AAD login page (login.microsoftonline).
  3.  Auto-Acceleration does not support anything other than SharePoint Online sites & SharePoint Online admin center.
  4. This supports only single identity provider. If you have multiple identity provider then you must create an intermediate page where the user needs to select the identity provider. This is not recommended as it does not solve the original user experience issue which we are trying to solve here.

3. Smart Links

This has existed for long time and this is a hack rather than a feature of office 365.Below is a summary of how smart links work :

  1. Firstly create a smart url to bypass the office 365 home realm discovery. This is a special url with some extra parameters in the querystring which will enable Azure AD to automatically redirect the request to the federated identity provider login page.
    Now how to generate the special url? It’s fairly simple, you just need to fill in the exact placeholders in the below format:
    https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=[yourdomain]&wreply=[targeturl]eg: if your company domain is “bestcompany.com” and you want to generate a smart url for https://portal.office.com then your url will be as below:https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=bestcompany.com&wreply=https://portal.office.com
  2. Now you need to create a new blank  website (IIS/Apache or anything of your choice) for each url you want to acheive SSO. Example: For https://portal.office.com you would create a website like https://office.yourcompany.com . You need to publish this url, so that it is accessible through the internet or in your intranet, depending on your needs.
  3. Now create a redirect rule for all requests coming in to your website to be redirected to the smart link url generated for that particular resource.
  4. Now when any user access https://office.yourcompany.com they will auto redirected to smart link , the smart link then redirects user to the federated identity provider and if the user is accessing from the domain joined computer, then he/she will be automatically signed in and redirected to https://portal.office.com

Limitations

  1. New “fake” or company branded urls needs to be generated for each office 365 url which needs to be SSO ed.E.g:Office 365 Home: https://portal.office.com –> https://office.yourdomain.comSharePoint Home: https://yourdomain.sharepoint.com –> https://sharepoint.yourdomaincomDelvehttps://delve.office.com/ –> https://delve.yourdomain.com
  2. If user bookmarks any office 365 page including SharePoint online and tries to access the site first time through the bookmarks , he/she will end up in login.microsoftonline.com and SSO will not happen seamlessly.
  3. You will have to run campaign in your company to make user familiarise with this fake urls by making these as home page for browser etc.

Use case scenarios: Auto-Acceleration vs Smart Links

  1. SharePoint Online sites(Single Federation): If you have only single federation in your tenant and without or with external sharing(some caveats with sharing) , you should go with Auto-Acceleration for your sharepoint sites. It’s just a piece of cake to configure and provides tremendous improvement to user experience especially if SharePoint user base if more.
  2. SharePoint Online sites (Multiple federation):If you have multiple federation inside the tenant, it is better to utilize smart links in the scenario. Let’s consider a scenario where you have 2 federation one for intranet users & another one for extranet users. So in this scenario you can create 2 smart links:
    Intranet SharePoint–> https://intranet.yourcompany.com –> https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=%5Bintranetdomain%5D&wreply=%5Btargeturl%5D
    Extranet SharePoint –> https://extranet.yourcompany.com –> https://login.microsoftonline.com/login.srf?wa=wsignin1.0&whr=%5Bextranetdomain%5D&wreply=%5Btargeturl%5D
  3. Other Office 365 products (non-SharePoint): For all your non SharePoint Office 365 products , it is worth to configure smart links to improve user experience.

7 thoughts on “Single Sign On in Office 365-SharePoint Online by bypassing Home Realm Discovery page

  1. This is great, but there is one issue. Signing in works perfectly, but when I press “Sign Out” on the Office Portal, i get a “Hmm… we’re having trouble signing you out.” error. This is something to do with the fact that ADFS session is WS-Fed and Office Portal is OpenID Connect. Sign Out works for OIDC but most likely does not clear the WS-Fed session.

  2. This is really wonderful. Under the Limitation (section 2) Would you please explain how to do.
    “configure the identity provider login page to support guest user login, which means it should have some option for guest users to click through and navigate to AAD login page (login.microsoftonline).”

    1. Thanks Amiya. Please note that this blog is more than 2 years old and lot has changed since then. The recommended approach if you have federation with on-prem AD will be use Pass through Authentication. This will negate all the limitations of auto-acceleration with ADFS.

  3. If I understand correctly, your current set up is AAD integrated with on-prem ADFS for authentication. This will work properly if all your users are internal and they are always authenticated by the ADFS. Pass through authentication is a replacement architecture for ADFS. One more thing is that guest users or external users are not /cannot be authenticated by your ADFS/Pass through Auth agent. They will always be authenticated by their Organisation’s Azure AD or Gmail or Microsoft live Id depending on the type of the guest account. Using pass through authentication will prevent all users being redirected to ADFS for authentication. Internal users will be auto logged in and external or guest users will be challenged for authentication in the login.microsoftonline screen.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s