Enabling Windows SSO login in Firefox settings bypass container isolation

[codesmacgodes]

Before submitting a bug report

• [X] I searched for existing reports to see if it hasn't already been reported
• [X] I updated to the latest version of Multi-Account Container and tested if I can reproduce the issue

Step to reproduce

This issue seems more along the lines of a "technical debt" than a bug, or a feature request.

I first used account containers quite some time ago when it was built into firefox, and pretty much cookies and local data were how browsers maintained state with respect to a given web site. When it comes to isolating those things with Container Tabs, that has been as good as a private browsing window, as far as I've known. I think the landscape shifted a little when Firefox added support for Windows Single Sign-on, though.

I think some kind of warning about the dubious interaction between the features, a prompt to disable the setting, or even a checkbox per container may be in order. Hopefully someone has a better idea.

Actual behavior

When I create a new container, and visit certain websites from MS or with MS integrations, each brand new container is as likely to be "already logged in" as any other.

Expected behavior

The expectation of a blank slate from the fresh container tab doesn't hold. It could be considered a privacy thing.

Additional informations

Trying to talk myself out of submitting an issue, I did consider how my expectations might be unusual . . . it is kind of similar to to having entered a primary password, afer all. Primary password makes information available for potential use in all containers (and private windows) at once. I think this is different, though, because the relatively recent windows SSO feature is automatically used, not just made available. With a saved password, I can make a new container but I'm still not logged in for my first connection to a site, in a container tab. The issue is that a windows SSO login is as good as done, as soon as there's any opportunity to use it.

It's just a hunch, but I suspect this could need some corresponding work in Firefox itself, as well.

Provide a copy of Troubleshooting Information page

I don't think the "about:support" is likely to help with this kind of "bug". The issue is with the intended behavior on all affected platforms.

[dgriffinzero]

I've noticed this as well. Multi-Account Container is an absolute must when managing multiple Azure/0365 tenants, but this bug is massively annoying. My workaround thus far has been to disable the SSO integration, then close and reopen before creating new containers. Once they're created, switch back to my base account, reload the page, then turn SSO back on before closing and reopening Firefox.

[Flappiee]

I experience the same behaviour. The containers in Firefox are a greate feature, however, when the SSO option is enabled, i prefer to not auto login to Office365 when opening a new container window!

Please fix this!

[woodyard]

Would be nice to know if this issue is on a to-do list or on a no-go list so to speak. Can we expect this to be fixed?

[dannycolin]

I've create an Microsoft accoutn and tried to reproduce this in a fresh Firefox profile. On my side, Multi-Account Containers was working as expected meaning that it wasn't autologin me in a newly created container.

Without more informations, we can't even confirm that there's a bug. If someone is able to reproduce in a fresh profile and provide a more detailed "step-to-reproduce" (bonus point if it's a screen recording) that could be very useful.

[woodyard]

I've create an Microsoft accoutn and tried to reproduce this in a fresh Firefox profile. On my side, Multi-Account Containers was working as expected meaning that it wasn't autologin me in a newly created container.

Without more informations, we can't even confirm that there's a bug. If someone is able to reproduce in a fresh profile and provide a more detailed "step-to-reproduce" (bonus point if it's a screen recording) that could be very useful.

The "Windows single sign-on" toggle In Firefox settings should work as a toggle per container instead. Either that or a possibility to override the general app setting on a per container basis.. Hope it makes sense :)

[dannycolin]

The "Windows single sign-on" toggle In Firefox settings

Do you mean that you're logged to your account directly in the Firefox settings? If yes, any chance, you could share a screenshot because I'm on Linux so I might not see the same thing than you ;).

[woodyard]

Sure. Here I have a container where I normally work on M365 tenant B (1 on image). I have just enabled SSO in FF settings and goto www.office.com in that container. Now it logs me in with SSO to the tenant that my PC is joined to (2 on image). I would have wanted that I could turn OFF (or ON) that SSO function on a per container basis.

[dannycolin]

Thanks, this is exactly the missing piece of information I needed. However, the bad news is there's nothing that can be done on our side (Multi-Account Container) since the addon doesn't have any control on this Firefox feature.

I filed a bug upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=1800971

[woodyard]

Thanks, this is exactly the missing piece of information I needed. However, the bad news is there's nothing that can be done on our side (Multi-Account Container) since the addon doesn't have any control on this Firefox feature.

I filed a bug upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=1800971

Thank you, Danny!

[OeveringIT]

Hi, just leaving a reply as a user really wanting/needing this. And I fully agree with @woodyard, this should be a option to allow SSO to a specific container.

Background: I have the tendency to put everything of my employer in one container and the computer is signed in through AzureAD. From other customers everything (that uses O365) will go into a own container and I don't like to pollute the "non-container" with useless SSO sessions and for that one I'd like to turn it off (as well as all other containers).

Thanks so much on working on this and this plugin is a lifesaver in my day to day work!

[Perdjesk]

This issue describes similar use case as https://github.com/mozilla/multi-account-containers/issues/1966 (description specific for SPNEGO SSO type).

Both issue can be merged IMO with enumeration of all types of SSO considered.

/cc @dannycolin

EDIT: Note after some looking around in code and comments at https://bugzilla.mozilla.org/show_bug.cgi?id=1800971.

The Windows SSO (i.e network.http.windows-sso.enabled using Win32 API located at /netwerk/protocol/http/HttpWinUtils.cpp) is a completely separated implementation than the "classical" SSO using SPNEGO (located at /extensions/auth).

The Windows SSO on Win32API seems to be never used in private browsing nsHttpChannel.cpp#424. The SPNEGO SSO can be enabled in private browsing by using the configuration flag network.auth.private-browsing-sso=true

It might be a slight discrepancy to not have included the Windows/Win32API SSO as part of the flag network.auth.private-browsing-sso.

[dannycolin]

@Perdjesk Lets keep these two separated then.

[nils2614]

This issue seems to be fixed in Firefox version 113: https://bugzilla.mozilla.org/show_bug.cgi?id=1800971#c18

[Flappiee]

Can confirm this. Running 115.0.2. Enabled the SSO Feature. When opening a new tab, there is no SSO. In the default tab, SSO works. Great to have this fixed!