question

VaughnDeFouw-2588 avatar image
0 Votes"
VaughnDeFouw-2588 asked VaughnDeFouw-2588 answered

Google Cloud / G Suite SSO Password Hash Issues - Chromebooks

We have Chromebooks using the SAML IdP from Azure as the login provider. The login flow works fine, except for when you enter a password incorrectly.
When you enter a password incorrectly, it shows "Your account password is incorrect. If you don't remember your password, reset it now".
The user then enters his/her password correctly.
The Chromebook then says "Please re-enter your password to update your Chromebook profile".
Google claims that Microsoft needs to implement the following API: https://www.chromium.org/administrators/advanced-integration-for-saml-sso-on-chrome-devices
The question is - who needs to fix this problem? To me, it feels like the Chromebook caches the initial password hash for the incorrect password and then doesn't update it when the user successfully enters a password again.
It successfully caches the hash when a user is brand new to a Chromebook, but if there is ever an incorrect password entered, this behavior occurs.
Any help would be greatly appreciated. Google is pointing their finger at Microsoft - hopefully this doesn't turn into a finger pointing war :). I just want this annoying issue fixed for my users.

azure-ad-enterpriseapps
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Here the caching the password is something which chromebook should manage as in any system ? Unless the SMAL IDP is like a plugin which does the caching part , then it should be microsoft. I do not have a chromebook so hard to test this. Have you tried engaging support on this?

0 Votes 0 ·

1 Answer

VaughnDeFouw-2588 avatar image
0 Votes"
VaughnDeFouw-2588 answered

Google just gave me this article:
https://www.chromium.org/administrators/advanced-integration-for-saml-sso-on-chrome-devices

The engineer just told me:
"The issue is with the "add()" call on the sign in flow. The hash used after a failed attempt is incorrect in the "complete()" callback and is therefore invalidating the response. Their sign in flow is not cut short once credentials are entered incorrectly, instead they redirect to the sign in form of their SSO. When this method is used, the "add()" call needs to be made again, so the same token can be used and any credentials previously passed with the same token are superseded and replaced."

Any suggestion on how to get this to the correct team at Microsoft to look into for fixing? Arguably, I still say it's a Google issue. Azure is sending data that obviously lets the Chromebook sign in - why can't they just fix it to accept whatever the SSO sends?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.