Microsoft-authentication-library-for-js: Get Login Error "Seamless single sign on failed for the user" for some users
Library
- [X]
[email protected] - [ ]
@azure/[email protected] - [X]
@azure/[email protected] - [ ]
@azure/[email protected]
Description
Some users experiencing a problem with MFA when login. They get the error:
InteractionRequiredAuthError: Seamless single sign on failed for the user. This can happen if the user is unable to access on premises AD or intranet zone is not configured correctly
The app is Angular 8. Some users can login, some not. When the device has is part of the company tennant so that no MFA is done, it works always.
In Details for authentication in Azure is logged: Successful: false - MFA requirement satisfied by claim in the token.
Any Advice why some user have problems?
My configuration is:
auth: {
clientId: '45t45g4g-1ab3-4374-b63e-8139e1d42350',
authority: 'https://login.microsoftonline.com/dddddddd',
validateAuthority: true,
navigateToLoginRequestUrl: false,
},
cache: {
cacheLocation: 'localStorage',
storeAuthStateInCookie: false
},
},
{
popUp: false,
consentScopes: [
'user.read',
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
],
unprotectedResources: ['https://www.microsoft.com/en-us/'],
protectedResourceMap,
extraQueryParameters: {}
})
Mr230268
All 8 comments
@Mr230268 Can you please clarify which APIs you are calling that results in this error? Generally speaking, applications should handle InteractionRequired errors by invoking acquireTokenPopup or acquireTokenRedirect. Is your application doing this?
jo-arroyo
on 17 Jul 2020
I'm having the same problem with an React and React Native application, and the problem started after active MFA.
I'm using react-adal which probably use msal for it's implementation.
ranierimazili-gft
on 17 Jul 2020
@jo-arroyo
Maybe I'm doing something wrong. The app had before it's own user management but then we had to switch to AAD. We did it as simple as possible. It works now like this:
When the app starts the user press Login. A service then calls:
this.msal.loginRedirect();
The user enters the credentials and when it is a device outside our company a MFA is initiated. Everything runs well and the login is processed successfully and it is redirected to the app.
With this
if (this.msal.getAccount() !== null)
I check if an account is now availabale. When it is not null, I call a protected route. The server validates the token and takes the EMail adress and starts a session. From that point the session managmement is done by the app itself. We only need it to proof the Email-identity at session start.
But for me it seems that no code of my app is processed after the redirect. The crash happens before in MSAL.
The error occors only with MFA. It depends on the user. Some users work some not.
The only difference I found in the Aruze AD SignIn protocol between a login of mine (working) and a colleague were it is not working, is in Azure Details Authentication:
Successfull result detail Request
false MFA requirement satisfied claim in the token MultiConditionalAccess
When it's working this line above it not there.
`
Thank for every help!
Mr230268
on 17 Jul 2020
Hi,
I figured out what the problem is:
All users with this exception has 3rd party cookies disabled. There is a document about this problem:
https://docs.microsoft.com/de-de/azure/active-directory/develop/reference-third-party-cookies-spas
The error messages is maybe misleading or my understanding is not right. To prevent this, is one solution to add the authorization side from MS to the intranet-zone so it is not third-party?
Mr230268
on 20 Jul 2020
I was using "in private" mode on chrome and by default chrome disable third-party cookies for in private mode. After enable third-party for in private mode, it started to work.
ranierimazili-gft
on 20 Jul 2020
@Mr230268 It is expected that some operations in MSAL.js v.1 will not work properly with third-party cookies disabled.
I check if an account is now availabale. When it is not null, I call a protected route. The server validates the token and takes the EMail adress and starts a session. From that point the session managmement is done by the app itself. We only need it to proof the Email-identity at session start.
But for me it seems that no code of my app is processed after the redirect. The crash happens before in MSAL.
Please clarify what this protected route is. Are you navigating a user to a page that is protected by the MSAL guard, or are you initiating a HTTP request?
Please also provide logs from the MSAL Logger. This will help us understand what is happening.
jo-arroyo
on 20 Jul 2020
Please clarify what this protected route is. Are you navigating a user to a page that is protected by the MSAL guard, or are you initiating a HTTP request?
Please also provide logs from the MSAL Logger. This will help us understand what is happening.
@jo-arroyo
I initiate a HTTP-Request. But it doesn't matter anymore.
For me it is closed because when I enable third party cookies everything works as expected again. I just leave it open to say that an error message with a hint to third party cookies would have saved me a lot of hours. This would be great. Example:
InteractionRequiredAuthError: Seamless single sign on failed for the user. This can happen if the user is unable to access on premises AD or intranet zone is not configured correctly. It can also happen when access to third party cookies is disapled.
I know now that we have to move to msal 2.X to solve this problem but the msal angular wrapper is right not ready for. So I hope this will happen soon. Til then I keep my fingers crossed that we can still enable third party cookies in the browsers.
Please think about this little hint in this case and then please close this issue. Thank you!
Mr230268
on 21 Jul 2020
@Mr230268 Thank you for the feedback. We'll take this into consideration.
jo-arroyo
on 24 Jul 2020
Related issues
LarsKemmann
路
4Comments
spottedmahn
路
3Comments
DarkLite1
路
3Comments
spottedmahn
路
4Comments
exequeryphil
路
3Comments