How SSO (Single-Sign-On) Authentication Works in Windows 10

When we talk about authentication methods today, these generally mean that we write down our login details or credentials every time we want to. However, the SSO or Single-Sign-On method appears to make life easier for people who need to access several services and applications at the same time. Today in this article we are going to talk about Single-Sign-On in Windows 10.

There is no doubt that Windows 10 is a widely used operating system when it comes to corporate environments. Not only use the benefits of the system in question, but also other proprietary and external applications. These have the ability to integrate with the corporate Windows environment, making it very easy to have access to 10, 15 or more applications.

If the user has to authenticate each time they have to access an application, this can be quite a waste of time, as well as several problems and risks. For example, if the user needs to authenticate quickly and is not paying enough attention, they can block their corporate account by trying to enter several times. Although there are IAM (Identity Access Management) systems that handle this type of situation, the end user experience may not be very good and undoubtedly affects your daily productivity.

single-sign-on-windows

SSO (or Single Sign-On) is a centralized user and device authentication service. It works as follows: a set of user credentials serves as a direct gateway to all applications that have been given appropriate authorization. Those credentials can consist of email, username and password. The direct advantage that arises is that it will not be necessary for the person to enter their credentials to all the applications and services that they must use. You simply use SSO-type shortcuts (such as a URL if it were a web application) and within seconds, you authenticate.

Another advantage is that the end user should only have a single truly secure password . That is, with an adequate number of digits, numbers, special characters and other specifications of password policies. One of the reasons why people don’t opt for strong passwords is the time it takes to think of one for each of the applications. With SSO, we can change the mindset of users by promoting the creation of strong and difficult to guess passwords. And if it’s time to renew it, that change will apply to all apps that have SSO enabled.

SSO operation in Windows 10

This service is available for the following categories of applications:

  • Authentication services and integrated Windows applications.
  • Azure AD connected applications. Including Office 365 and all applications published with Azure AD proxies.
  • Applications with Active Directory Federation Services.
  • Azure AD and Domain-Joined devices (which connect to your workplace domain using your network credentials).

With SSO, you get a special token (token) for each of the application types that are compatible with SSO. With this special tab, you get other tabs to access specific applications.

It is as if the special token was the “mother token” which is called in English as Primary Refresh Token (PRT) . This is generated, in principle, during the Windows login process: user login and / or computer unlock. It contains all necessary data that allows us to know about the device and the domain to which it belongs. Which means that any conditional device-based access policy, if you don’t have this PRT tab, you won’t have access to the app.

Next, we show you how the PRT tab is generated:

  1. The user enters the credentials in Windows.
  2. The credentials are passed to the Cloud AP Azure AD extension for authentication.
  3. The authentication process is performed for both the user and their device to obtain the PRT tab from Azure AD.
  4. The PRT tab cache is generated for the Web Account Manager to access it during application authentication.
  5. The application requests access to the PRT tab from the Web Account Manager that corresponds to a specific application and / or service.

Password based SSO

One of the most widely used SSO methods is the password -based or “Password-based”. Users log into the application with a username and password only the first time they access. Subsequent to that startup, Azure AD provides the indicated credentials to supported applications.

This method is simply based on an existing authentication method, which is the method of entering credentials. If you opt for the password-based method, Azure AD collects and stores that data and then encrypts it to your directory.

For reference, the user can authenticate himself by this method if he uses the following programs:

  • Internet Explorer from Windows 7 onwards.
  • Edge from Windows 10 Anniversary Edition onwards.
  • Edge in its mobile version for Android and iOS.
  • Chrome from Windows 7 onwards and MacOS X.
  • Intune Managed Browser.
  • Firefox version 26.0 onwards, from Windows XP Service Pack 2 onwards and Mac OS X 10.6 onwards.

Regardless of how innovative or interesting it may be, the SSO method shows us that a life without having to enter passwords several times a day is possible. Perhaps you have used this method and most likely have not noticed. Most, if not all, companies that use Windows Active Directory have SSO as their ally.