Blog

What is Seamless SSO by Microsoft? Everything You Need To Know

December 5, 2023

We’ll explain what Seamless SSO is, how it works, and how you can implement it — whether you’re an IT admin or a startup developer.

If you’ve started to speak to potential enterprise customers, you already know how important Single Sign-On (SSO) is to them. You’ll also have discovered that SSO is pretty complicated with all sorts of protocols, tokens, handshakes, and security high-stakes.

If that wasn’t complicated enough, your enterprise customers in the Microsoft ecosystem will have their own version of Single Sign-On, called “Seamless SSO”.

In this article, we’ll explain what Seamless SSO is, how it works, and how you can implement it — whether you’re an IT admin or a startup developer.

What is Seamless SSO?

Seamless SSO is Microsoft’s own version of Single Sign-On. Much like traditional SSO, it allows users to authenticate once and then access multiple different services and apps, mediated by Microsoft’s Entra ID (or just Entra for short) — the service that replaced Azure Active Directory.

Unsurprisingly, Seamless SSO is specifically designed and optimized to tie in with the Microsoft ecosystem. It uses Entra ID’s directory system to store users and what they can access and enables “silent logins” (meaning no login screen at all) with Microsoft 365 products like Powerpoint and Teams. For apps outside the corporate network, users will not get fully silent logins, however, they’ll still enjoy a Seamless SSO experience.

As you expect, Seamless SSO is also optimized for authentication on Windows devices, using the Integrated Windows Authentication service.

After logging in, Microsoft Entra recognizes when a user’s device has joined the corporate network and automatically authenticates the user into any services or apps they access. Acting as an IdP, Microsoft Entra can extend this capability out to cloud-based SaaS vendors too — though that function is almost identical to traditional SSO.

Over the last few years, Seamless SSO has persisted through a few name and product changes alongside Microsoft’s Active Directory. Here are some of the names you may have seen Seamless SSO associated with over the years, which can be useful to know when navigating older tutorials or documentation:

  • Microsoft Active Directory with Active Directory Federation Services (ADFS). This wasn’t a strict predecessor to Seamless SSO, but was the main service through which Microsoft provided SSO.
  • Microsoft Azure Active Directory Seamless Sign-On (Azure AD SSO). The first use of the term Seamless SSO, Azure AD SSO existed until May 2022.
  • Microsoft Entra ID Seamless SSO. Launched in May 2022, this rebrand also introduced several new identity and access management products.

You can read more about Microsoft Entra Seamless Sign-On from the docs.

How does Seamless SSO work?

First of all, a user logs into their corporate Windows device as normal. They’re authenticated with their corporate directory (on-premises Active Directory) and granted access.

The first-time users then navigate to a Seamless SSO service, their app or browser initiates a sign-in process. If the app is set up for silent login, as common apps like Microsoft Office, Outlook, or SharePoint are, then no login screen is displayed for the user — they are taken straight into the app.

When accessing apps from other vendors for the first time, a user usually only needs to enter their username — though this depends on exactly how the administrator has configured Entra ID. After that, the browser can handle the authentication process with Entra ID automatically as the user moves between other apps and services.

Under the hood, Seamless SSO works using Kerberos tickets. When the user originally authenticates into their device, Entra will provide the browser with an encrypted ticket.

Microsoft Entra then requests that encrypted ticket from the browser when trying to access a given app or service, completing an authentication handshake and granting access.

The browser sends the ticket it receives to Microsoft Entra, which sends back a token with identity and authentication verification data, which works similarly to a SAML assertion.

For cloud-based services outside of the corporate domain, Microsoft Entra also has support for more generic SSO protocols like SAML and OpenID Connect. Like any other IdP, Entra allows a cloud-based vendor to receive SAML assertions to authenticate corporate users within the vendor’s app.

While you won’t be able to make use of fully silent logins unless you deploy on-premise software, supporting Entra will still enable those users to get the Seamless SSO experience on your app. Once they’ve logged into your app or another app on their browser, Entra will silently pass those credentials along to your app, allowing users to skip your login screen.

How to implement Seamless SSO

If you’re an IT Administrator: Implementing SSO for your workforce

Assuming you’re already using Microsoft’s ecosystem, rolling out Microsoft Entra is straightforward. Here’s a high-level, non-exhaustive overview of the steps you’ll need to take:

  1. Set up an Entra server via Azure. You’ll want to make sure you’re using an appropriate topology, make sure that you’ve enabled modern authentication and that you’ve pushed the latest version of MS365 clients to your users.
  2. Enable Seamless SSO inside Entra Connect. You’ll need to use your domain administrator credentials to do this, then check the Entra Admin Center to verify that Seamless SSO is enabled and working.
  3. Deploy Seamless SSO to your users via Group Policy. While this is relatively straightforward, there are different steps you’ll want to carry out depending on which browsers your organization allows.
  4. Test that Seamless SSO is fully functional. This is as simple as browsing https://myapps.microsoft.com/ and attempting to log in. Just make sure you’re using a corporate device connected to your corporate network directly or via VPN.

You can find a complete quickstart, step-by-step guide of implementing Seamless SSO directly from Microsoft.

If you’re a developer: How to support Seamless SSO in your app

If you’re a software vendor trying to make Seamless SSO available in your app, the good news is that the process is almost entirely the same as enabling SSO for any other identity provider. The bad news is, that it’s a lot more complicated than the IT administrator’s job we pointed out above.

There are three main things you’ll need to do:

  • Build an SSO integration. Using SAML, you’ll build a standard SSO integration that can connect to your enterprise customer’s Entra IdP and verify user credentials.
  • Build a SCIM endpoint: Using SCIM, you’ll create an endpoint that Entra can send requests to provision (and deprovision) users on your app.
  • Submit your app to the Entra Gallery: To smooth the onboarding process for enterprise customers (which can often be painful and tedious), you’ll submit your app to the Microsoft Entra application gallery (a sort-of app store for SSO-ready SaaS solutions).

Next steps

If you’d rather not spend the next few weeks developing an SSO and SCIM solution from scratch for your app, consider using a done-for-you authentication service like WorkOS:

  • Get started fast: With SDKs for every popular platform, and Slack-based support, you can implement SSO in minutes rather than weeks.
  • Avoid the back-and-forth: WorkOS’ Admin Portal takes the pain out of onboarding your customers’ IT teams and configuring your app to work with their Entra ID instance.
  • Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard - whether they bring 10 or 10,000 users to your app.

Explore Unified SSO by WorkOS.

Frequently asked questions

How much does Seamless SSO cost?

Seamless SSO is included with all editions of Microsoft Entra. If you have a cloud subscription for another service like Microsoft Azure or Microsoft 365, Seamless SSO is included for free. Otherwise, the service costs $6 per user per month.

Can I use Multi-factor authentication with Seamless SSO?

Yes. On login, Seamless SSO can request multiple factors of authentication. These can also be configured to be required for access to specific services or apps.

Can I use Seamless SSO for a Public Web Service?

Seamless SSO is designed for users on the same corporate domain. While it can be used to access cloud-hosted software from within that domain, it isn’t suitable for users accessing publicly available sites.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.