Sharepoint and SSO not seamless enough

This question is answered This question is answered

Hi All,

We have SSO setup and if works perfectly with everything else but when it comes to Sharepoint it is not as seamless and we would like. Every morning when we connect to our sharepoint site we are prompted with a Office 365 Login to sign in. We have to put in our email address and the wait for the link to appear that says "Sign in at <domain>" Once we click it automatically login is and brings up the sharepoint site.

I have been told this is expected behaviour but how come it only happens to our Sharepoint site. If user login into OWA or the Office 365 Portal it never asks for that so why cant that same login method be applied for sharepoint?

 

Verified Answer
  • Hello RodneyAlmeida,

    After you deployed SSO for your organization, all web apps (Office 365 Portal / Outlook Web App / SharePoint Online / Office Web Apps) require you to enter your username or click to sign in for each session. You will not be prompted for your password if your computer is joined to the domain. It is a normal behavior.

    Office 365 web sessions such as Outlook Web App (OWA) and SharePoint Online sites are maintained by web browser cookies. And the session cookie stored in memory has a Time to Live (TTL) value. Before the session cookies expires, you can access these web apps seamless.

    For your convenience, I would like to list the user sign-in experience with both Cloud Identity and Federated Identity as follows for your reference.

    Sign-in experience with Office 365

    Cloud Identity

    Federated Identity

    Microsoft Outlook® 2010 on Windows® 7

    Sign in each session1

    Sign in each session2

    Outlook 2007 on Windows 7

    Sign in each session1

    Sign in each session3

    Outlook 2010 or Outlook 2007 on
    Windows Vista® or Windows XP

    Sign in each session1

    Sign in each session1

    Exchange ActiveSync®

    Sign in each session1

    Sign in each session1

    POP, IMAP, Microsoft Outlook for Mac 2011

    Sign in each session1

    Sign in each session1

    Web Experiences: Office 365 Portal / Outlook Web App / SharePoint Online / Office Web Apps

    Sign in each browser session

    Sign in each session4

    Office 2010 or Office 2007 using SharePoint Online

    Sign in each SharePoint Online session5

    Sign in each SharePoint Online Session

    Lync Online

    Sign in each session1

    No prompt

    Outlook for Mac 2011

    Sign in each session1

    Sign in each session1

     

    Note

    1 When first prompted, you can save your password for future use. You will not receive another prompt until you change the password.

    2 You enter your corporate credentials. You can save your password and will not be prompted again until your password changes.

     3 Outlook 2007 will be updated after Office 365 has been made generally available to have the same experience as Outlook 2010 on Windows 7.

    4 All apps require you to enter your username or click to sign in. You are not prompted for your password if your computer is joined to the domain.

    5 If you click on "Keep me signed in" you will not be prompted again until you sign out.

    Reference
    ===========
    Office 365 for Enterprise Service Descriptions
    http://www.microsoft.com/download/en/details.aspx?id=13602

    Thank you.

    Jack Sun

All Replies
  • Hello RodneyAlmeida,

    After you deployed SSO for your organization, all web apps (Office 365 Portal / Outlook Web App / SharePoint Online / Office Web Apps) require you to enter your username or click to sign in for each session. You will not be prompted for your password if your computer is joined to the domain. It is a normal behavior.

    Office 365 web sessions such as Outlook Web App (OWA) and SharePoint Online sites are maintained by web browser cookies. And the session cookie stored in memory has a Time to Live (TTL) value. Before the session cookies expires, you can access these web apps seamless.

    For your convenience, I would like to list the user sign-in experience with both Cloud Identity and Federated Identity as follows for your reference.

    Sign-in experience with Office 365

    Cloud Identity

    Federated Identity

    Microsoft Outlook® 2010 on Windows® 7

    Sign in each session1

    Sign in each session2

    Outlook 2007 on Windows 7

    Sign in each session1

    Sign in each session3

    Outlook 2010 or Outlook 2007 on
    Windows Vista® or Windows XP

    Sign in each session1

    Sign in each session1

    Exchange ActiveSync®

    Sign in each session1

    Sign in each session1

    POP, IMAP, Microsoft Outlook for Mac 2011

    Sign in each session1

    Sign in each session1

    Web Experiences: Office 365 Portal / Outlook Web App / SharePoint Online / Office Web Apps

    Sign in each browser session

    Sign in each session4

    Office 2010 or Office 2007 using SharePoint Online

    Sign in each SharePoint Online session5

    Sign in each SharePoint Online Session

    Lync Online

    Sign in each session1

    No prompt

    Outlook for Mac 2011

    Sign in each session1

    Sign in each session1

     

    Note

    1 When first prompted, you can save your password for future use. You will not receive another prompt until you change the password.

    2 You enter your corporate credentials. You can save your password and will not be prompted again until your password changes.

     3 Outlook 2007 will be updated after Office 365 has been made generally available to have the same experience as Outlook 2010 on Windows 7.

    4 All apps require you to enter your username or click to sign in. You are not prompted for your password if your computer is joined to the domain.

    5 If you click on "Keep me signed in" you will not be prompted again until you sign out.

    Reference
    ===========
    Office 365 for Enterprise Service Descriptions
    http://www.microsoft.com/download/en/details.aspx?id=13602

    Thank you.

    Jack Sun

  • Hi Rodney,

    If you have SSO setup then I suggest you make the use of smartlinks. We have it setup in our environment and it works great.

    community.office365.com/.../using-smart-links-or-idp-initiated-authentication-with-office-365.aspx

    Basically it is setting up a sub domain / domain that resolves to the adfs bypassing the office 365 login page.

    -Martin

  • Hello RodneyAlmeida,

    Did the above replies answer your questions? If the information is helpful, please show this thread as answered so others may benefit from the information. Thank you.

    Jack Sun

  • Hi Martin,

    This is interesting. Dont know much about these but after reading throught that link i thought, could we not also just create standard favourites in IE that point to that "sts.contoso.com/.../" link instead of contoso.sharepoint.com?

  • it is using 302 redirection service rather than a DNS CNAME record, so, you should access your website with actual link, insteand of an alternative url.

    Sky

  • The implementation of SSO, IMHO, is terrible. Isn't there a way NOT to have to go back and forth with redirection, links, browser authentication business but instead ONE forms based authentication and that's it? The Google apps methodology in my opinion is superior where passwords are actually synchronized and the entire process doesn't hinge on a single point of failure - that fs box that has to run on-prem...

    So in summary I do have a constructive question: is there a better more polished way to do SSO with single forms based authentication page?

  • Hello Boyan,

    To allow users to access online services in Office 365 with your AD corporate credentials, not to maintain separate user names and passwords for your online and on-premises accounts, you should deploy Single sign-on for users in your organization. If you have additional questions, to make sure your problem can be resolved effectively, please post a new question for your problem in the forum.

    Thank you for your understanding.

    Jack Sun