Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

ericmbowden

My feedback

  1. 39 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Azure Active Directory » Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Reposting so that folks get a notification – from Paul:

    Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.

    We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.

    ericmbowden shared this idea  · 
  2. 197 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  61 comments  ·  Azure Active Directory » End user experiences  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    ericmbowden commented  · 

    This issue occurs for me anytime the user is currently logged in using an Azure AD account from another tenant (e.g. user@contoso.onmicrosoft.com), but the user is intending to access my application resource using their live id account (e.g. user@live.com).

    Workarounds are pretty rough:

    * Start a new private browser session
    * Open the browser to https://login.microsoftonline.com/login.srf?wa=wsignout1.0 which will log the user out of the existing account. Unfortunately, this url does not include the ability to perform a redirect using wreply (from that I’ve read, wreply is disabled for login.srf).
    * Logout from the account currently signed in using some other means.

    Unfortunately, users will rarely be able to repair this issue on their own.

    Appreciate any solutions, workarounds, or a means for communicating a meaningful error message and recommended workaround to the end user.

    I can provide a URL which can be used to easily observe this issue, upon request.

    ericmbowden supported this idea  · 

Feedback and Knowledge Base