How Web authentication broker single sign-on works

  • Article

The Web authentication broker enables single sign-on (SSO) by allowing persisted cookies (e.g. logon cookie) to live in a special purpose SSO app container. The application calls a special overload of the AuthenticateAsync method to request authentication hosts to run in that app container. In order to protect any cookies that may exist, the broker requires the redirect URL to be in the form of “ms-app://<SID>” where <SID> matches the calling application’s package SID.

For example, Fabrikam is a developer of a Windows Store app that uses Contoso’s services.

At development time, Fabrikam registered its application with the Windows Dev Center and as a result received a unique SID. Then Fabrikam registered their app with Contoso.com, including two of its redirect URLs, one of which was "ms-app://S-1-5-4321".

At runtime, Fabrikam's Windows Store app invokes Web authentication broker in SSO mode. As part of processing the request, Contoso.com verifies that the redirect URL is in the set of registered URLs. After Contoso authenticates the user, redirects to the requested redirect URL with an access token appended: "ms-app://S-1-5-4321?token=ABC". When Web authentication broker encounters a URL of this form that matches the calling app's SID, it returns the token contained in the query string or post data back to the app.

If there were any cookies already created in the SSO app container, the user would not need to sign in to Contoso. If any other app were to try to impersonate Fabrikam’s app, it would have failed because Contoso verified the identity of the app by making sure it one of the already registered redirect URLs is being requested and web authentication broker made sure that only the app that shares the same SID as one that Contoso wants to redirect to gets the protocol data.

Requirements to enable SSO

For Windows Store app developers to take advantage of the SSO mode of the Web authentication broker, a provider needs to do the following.

  • Allow URLs of the form ms-app://SID, where SID is the user's SID.
  • Instruct app developers to call the version of AuthenticateAsync that does not specify a redirectURL. If provider supplies an SDK for Windows Store app development, that SDK should use this overload as well.

Web authentication broker sample

Windows.Security.Authentication.Web

Connecting to online identity providers