What is seamless SSO by Microsoft? Everything you need to know

If you’ve started to speak to potential enterprise customers, you already know how important Single Sign-On (SSO) is to them. But setting up SSO can get pretty complicated between all sorts of protocols, tokens, handshakes, and complex security requirements.

And if that wasn’t complicated enough, your enterprise customers in the Microsoft ecosystem will have their version of SSO, called “Seamless SSO.”

In this article, we’ll walk you through:

• What Seamless SSO is
• How it works
• How developers and startups can implement it
  

Let’s start by explaining what Seamless SSO is.

What is Seamless SSO?

Seamless SSO is a feature of Microsoft Entra ID (formerly Azure Active Directory) that enhances the Single Sign-On experience for users. Much like traditional SSO, it allows users to authenticate once and then access multiple services and apps. Seamless SSO is designed and optimized to align with the Microsoft ecosystem.

Seamless SSO is optimized for authentication on Windows devices, using Integrated Windows Authentication (IWA). Browsers like Internet Explorer, Edge, and Chrome (with configuration) support IWA for this functionality.

When a user’s device is joined to the corporate network, Microsoft Entra recognizes this and automatically authenticates the user into any services or apps they access. For cloud-based SaaS vendors, Entra ID supports standard SSO protocols like SAML and OpenID Connect, enabling a seamless experience similar to traditional SSO.

Seamless SSO has evolved alongside Microsoft’s identity solutions, with the following milestones:

• Microsoft Active Directory with Active Directory Federation Services (ADFS): The primary service for providing SSO before Seamless SSO.‍
• Azure AD Seamless Sign-On: The first iteration of Seamless SSO, replaced in May 2022.‍
• Microsoft Entra ID Seamless SSO: Launched in May 2022, introducing an updated identity and access management platform.
  

How does Seamless SSO work?

1. ‍Authentication on a corporate device: A user logs into their corporate Windows device. They are authenticated with their corporate directory (on-premises Active Directory or Entra ID).‍
2. Accessing apps: For apps supporting silent login, such as Microsoft Office or Teams, users are seamlessly logged in without a visible login screen. For other apps, users may need to enter their username initially, depending on configuration.‍
3. Kerberos-based authentication: When a user logs in, the browser retrieves a Kerberos ticket from the on-premises Active Directory. This ticket is used for authentication when accessing apps and services.‍
4. Token exchange: The browser sends the Kerberos ticket to Microsoft Entra. Entra completes an authentication handshake, verifies the user, and issues a token (similar to a SAML assertion) to grant access.
   

For cloud-based services outside the corporate domain, Entra ID supports standard SSO protocols like SAML and OpenID Connect. These protocols allow seamless authentication for apps that don’t directly support Kerberos-based silent logins.

How to implement Seamless SSO

If you’re an IT Administrator implementing SSO for your workforce

Assuming you’re already using Microsoft’s ecosystem, rolling out Microsoft Entra is straightforward. Here’s a high-level overview of the steps:

1. ‍Set up an Entra server via Azure: Configure an appropriate topology, enable modern authentication, and ensure users have the latest MS365 clients.‍
2. Enable Seamless SSO in Entra Connect: Use domain administrator credentials and verify the setup in the Entra Admin Center.‍
3. Deploy Seamless SSO via Group Policy: Configure your organization’s supported browsers to ensure a seamless experience.‍
4. Test functionality: Visit https://myapps.microsoft.com/ and attempt login using a corporate device connected to the network.

If you’re a developer supporting Seamless SSO in your app

As a software vendor, enabling Seamless SSO for your app involves integrating with Microsoft Entra ID. Here are the key steps:

1. ‍Build an SSO integration: Use SAML or OpenID Connect to connect to your enterprise customer’s Entra instance and verify user credentials.‍
2. Build a SCIM endpoint: Create an endpoint for provisioning and de-provisioning users via Entra.‍
3. Submit your app to the Entra Gallery: Add your app to Microsoft’s Entra application gallery to simplify onboarding for enterprise customers.

Next steps

If you’d rather not spend weeks developing SSO and SCIM solutions from scratch, consider using a service like WorkOS.

• ‍Get started fast: Implement Universal SSO and Directory Sync in minutes with WorkOS SDKs.‍
• Simplify onboarding: The WorkOS Admin Portal helps configure your app for Entra ID.‍
• Transparent pricing: WorkOS charges a flat rate per company, regardless of user count.
  

Sign up for WorkOS today and start selling to enterprise customers tomorrow.

Frequently asked questions

How much does Seamless SSO cost?

Seamless SSO is included in all editions of Microsoft Entra ID. It comes at no additional cost for cloud subscriptions to services like Microsoft Azure or Microsoft 365.

Can I use multi-factor authentication with Seamless SSO?

Yes. Administrators can configure Seamless SSO to require multiple authentication factors for specific services or apps.

Can I use Seamless SSO for a public web service?

Seamless SSO is designed for corporate domains and internal apps. For public web services, Entra ID’s standard SSO protocols (SAML or OpenID Connect) are more suitable.