Reposting so that folks get a notification – from Paul:
Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.
We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.ericmbowden shared this idea ·
197 votesplanned · 61 comments · Azure Active Directory » End user experiences · Flag idea as inappropriate… · Admin →
An error occurred while saving the commentericmbowden commented
This issue occurs for me anytime the user is currently logged in using an Azure AD account from another tenant (e.g. email@example.com), but the user is intending to access my application resource using their live id account (e.g. firstname.lastname@example.org).
Workarounds are pretty rough:
* Start a new private browser session
* Open the browser to https://login.microsoftonline.com/login.srf?wa=wsignout1.0 which will log the user out of the existing account. Unfortunately, this url does not include the ability to perform a redirect using wreply (from that I’ve read, wreply is disabled for login.srf).
* Logout from the account currently signed in using some other means.
Unfortunately, users will rarely be able to repair this issue on their own.
Appreciate any solutions, workarounds, or a means for communicating a meaningful error message and recommended workaround to the end user.
I can provide a URL which can be used to easily observe this issue, upon request.ericmbowden supported this idea ·