Universal Sign-On unreliable with Microsoft accounts.

wavesound
wavesound
Community Member
edited December 2022 in 1Password in the Browser

I'm having a lot of issues with O365 Universal Sign-on in 1Password that make it somewhat unusable.

I have around 8-9 different O365 work accounts across different tenants. We're finding that two things are happening.

  1. 1Password makes no attempt to prompt me to save the logon in O365 using my Microsoft Account. (https://portal.office.com/)
  2. 1Password keeps asking me to sign into the Azure portal over and over even though I am already signed in... (https://portal.azure.com/)

Are these known issues?

1Password Version: 8.9.8
Extension Version: 2.5.0
OS Version: macOS 13.0.1
Browser:_ Chrome

Comments

  • wavesound
    wavesound
    Community Member

    bump

  • Joy_1P
    Joy_1P
    1Password Alumni

    Hey @wavesound, the Azure issue is known. I'll add your post here to it so our developers know how it's impacting your experience.

    As for the issue on https://portal.office.com, that one is new. I was able to replicate it. I will report the problem to our developers.

    We appreciate you reaching out about these two issues. If you have any other questions, please let us know.

    ref: dev/core/core/-/issues/18917
    ref: dev/core/core/-/issues/19083

  • jvis
    jvis
    Community Member

    I'm adding my vote. When I log in to a site using my O365 account, 1P recognizes that it's MS and offers to save the account, however the list it provides for options are all MS consumer accounts, and not O365 accounts. This makes the feature rather useless in a work environment. I tried adding the same domain from my personal account to my O365 account (https://login.microsoftonline.com) but that didn't help it get into the list.

    I'll go one step farther for a feature request. I have many different accounts, some used for testing. I use different containers within FF to manage sessions so I can have multiple accounts logged in at the same time. Any way for 1P to recognize some sort of container/browser differentiator to not always use the same account to log in? Maybe some sites need a "QA/TEST" flag so it will always ask?

  • paul.m_1p
    paul.m_1p
    1Password Alumni

    Hey @jvis - Thanks for the added insight on this behaviour 🙂

    • Do you have that O365 account created as a login item in 1Password?
    • If you do, is the vault or account in which that login item is saved different from the one(s) used for the MS consumer accounts you're seeing?
    • If it's a public URL, could you share the site you're trying to sign in with your O365 account?

    Regarding your second question, you can change the following setting in the browser extension so that you're not logged in automatically, and you can choose which SSO account you'd like to proceed with:

    1. Right-click the 1Password icon in the browser's toolbar and select "Settings".
    2. Under "Autofill", toggle "Log in automatically using a "sign in with" provider" to Off.

    As for the feature request, I have a couple questions to provide further insight to the team here:

    • Do the URL's in which you're logging into multiple accounts have different root-domains/sub-domains/ports at all?
    • Are you wanting some sites to log in with a previously saved provider/account automatically, and others to prompt which provider/account you'd like?

    Thanks for your continued support of 1Password!

  • jvis
    jvis
    Community Member

    Hi Paul,

    Sorry for the delay - took some time off over the holidays. I'll do my best to answer your questions.

    • Do you have that O365 account created as a login item in 1Password?
      Yes. And I added an additional URL of https://login.microsoftonline.com in case that helped 1P find it, but it didn't work.

    • If you do, is the vault or account in which that login item is saved different from the one(s) used for the MS consumer accounts you're seeing?
      No. I have consumer MS accounts in the same vault as this O365 account.

    • If it's a public URL, could you share the site you're trying to sign in with your O365 account?
      Although the URL is publicly available, I'd prefer to provide it to you via private message. It's our company.sharepoint.com, but also applies to others like office.com. I haven't had the 1P popup often enough to list all the URLs since MS only occasionally forces the login check.

    I've turned off the sign in with provider for now, as you requested. It made no difference to the options presented.

    I'll also add

    • the options provided for sign in with provider aren't respecting my vault/collection settings. I'm getting suggestions from vaults that are unchecked in the browser extension.
    • I also have another O365 test account and that one does show up as a suggestion for sign in with provider. The only difference I can see is that my test account has MS in the title, while the main account has only O365 in the title. Your devs didn't use a "must have 'MS' in the title somewhere" I hope?
    • 1P picks up the correct icon for the O365 account, same as the test O365 account and different from consumer accounts
    • When actually logging in to the O365 sites, 1P does offer my O365 account. It's only missing after the login, when it recognizes that MS was used to log in and offers the option of which account
    • I see the same behaviour with MS sites using the MS account and 3rd party sites using "log in with MS/Azure AD".
    • I've attached a screenshot of the suggestions provided today and of the account that doesn't show in the suggestions. As far as I can tell, the only one missing is the one I want.

    Missing account:

    For your feature request questions:

    • Do the URL's in which you're logging into multiple accounts have different root-domains/sub-domains/ports at all?
      Unfortunately no. The whole idea here is to test a system using different users (e.g. an admin and a regular user). Normally I would use different browsers for this, but the FF containers separates the sessions so it works well.

    • Are you wanting some sites to log in with a previously saved provider/account automatically, and others to prompt which provider/account you'd like?
      If I'm being honest, I'm not sure what the best UX is here. Ideally I'd love to be able to set a default login for some sites, but have different defaults in different browsers/containers. And that default could be either auto login or just top one in the list. For now, when I have multiple test accounts, I will star the main account so at least it shows up first, but when using another container I would like a different one to rise to the top.

    I might need to think about it a bit more, but feel free to ask more questions. It seems like at least some settings are individual per browser (it doesn't retain my selected vaults between different browsers), so I'd like to at least see something similar per browser for what rises to the top as a suggestion, either through usage or through manual starring. And if you could detect different FF containers to do the same, even better.

  • jvis
    jvis
    Community Member
    edited January 2023

    [deleted dup]

This discussion has been closed.