Closed Bug 1768724 Opened 2 years ago Closed 1 month ago

Add support for Microsoft SSO on macOS

Categories

(Core :: Networking, enhancement, P2)

Unspecified
macOS
enhancement
Points:
2

Tracking

()

RESOLVED FIXED
132 Branch
Tracking Status
firefox-esr128 --- fixed
firefox131 --- wontfix
firefox132 --- fixed

People

(Reporter: mkaply, Assigned: sekim)

References

Details

(Whiteboard: [necko-triaged][necko-priority-queue])

Attachments

(9 files, 9 obsolete files)

1.54 KB, text/plain
Details
1.53 KB, application/json
Details
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
48 bytes, text/x-phabricator-request
Details | Review
Attached file Same Code Snippet

We added Microsoft SSO support on Windows and we'd like to do the same for macOS.

On macOS, it would only work on a corporate device.

There is sample code here:

https://github.com/AzureAD/microsoft-authentication-library-common-for-objc/blob/master/IdentityCore/src/requests/broker/MSIDSSOExtensionGetSsoCookiesRequest.m

and here:

https://github.com/AzureAD/microsoft-authentication-library-common-for-objc/blob/master/IdentityCore/src/requests/broker/MSIDSSOExtensionGetDataBaseRequest.m

I'll also attach sample responses and code

Attached file Sample JSON response
OS: Unspecified → macOS

Mike, can you help us prioritize this bug?

Flags: needinfo?(mozilla)
Flags: needinfo?(ghess)

Mike please let us know if you have any input on prioritization. Tentatively, we have flagged this enhancement for 2022-H2 roadmap planning.

Flags: needinfo?(ghess)
Whiteboard: [necko-2022-h2-planning]

Mike please let us know if you have any input on prioritization. Tentatively, we have flagged this enhancement for 2022-H2 roadmap plannin

I don't have any input. Microsoft requested this and we had already done on Windows, so it's a "nice to have"

What you've set sounds good.

Flags: needinfo?(mozilla)
Severity: -- → N/A
Priority: -- → P2
Whiteboard: [necko-2022-h2-planning] → [necko-2022-h2-planning][necko-triaged]

Microsoft reached out to us to see if we could prioritize this.

They have customers requesting it.

Whiteboard: [necko-2022-h2-planning][necko-triaged] → [necko-triaged][necko-priority-queue]

We should do the similar as we did for windows here.

Points: --- → 2
Duplicate of this bug: 1869802
Assignee: nobody → sekim
See Also: → 1695693

Taking on this bug a few hours ago, I have a few questions regarding it.

  1. How should the bug be tested? (I am mainly referring to the past patch for Microsoft SSO on Windows: https://phabricator.services.mozilla.com/D114540)

  2. In the attached code, queryItems is used for authorizationOptions. What are the specific options being passed here?

  3. How would the implementation vary compared to the SSO support in Windows? Any considerations?

  4. Are there any interfaces like IProofOfPossessionCookieInfoManager for MacOS?

Flags: needinfo?(mozilla)

The Company Portal app stores Microsoft credentials:

https://learn.microsoft.com/en-us/mem/intune/apps/apps-company-portal-macos

The API documentation is here:

https://developer.apple.com/documentation/authenticationservices/asauthorizationsinglesignonrequest

on macOS, we would be using headers only so we should need the cookie stuff.

I'll reach out to Microsoft and ask them to jump in.

Flags: needinfo?(mozilla)
Attachment #9405306 - Attachment description: WIP: Bug 1768724 - Add support for Microsoft SSO on macOS → Bug 1768724 - Add support for Microsoft SSO on macOS (Non-Necko Part) r?kershaw
Attachment #9405306 - Attachment description: Bug 1768724 - Add support for Microsoft SSO on macOS (Non-Necko Part) r?kershaw → Bug 1768724 - Add a preference and policy for Microsoft SSO on macOS (Non-Necko Part)
Attachment #9405306 - Attachment description: Bug 1768724 - Add a preference and policy for Microsoft SSO on macOS (Non-Necko Part) → Bug 1768724 - Part 1: Add a preference and policy for Microsoft SSO on macOS (Non-Necko Part)
Attachment #9412770 - Attachment description: WIP: Bug 1768724 - Add support for Microsoft SSO on macOS (Necko Part) → Bug 1768724 - Part 2: Add MS SSO Authority List and Initialize HttpMacOSXUtils r=#necko
Attachment #9405306 - Attachment description: Bug 1768724 - Part 1: Add a preference and policy for Microsoft SSO on macOS (Non-Necko Part) → WIP: Bug 1768724 - Part 1: Add a preference and policy for Microsoft SSO on macOS (Non-Necko Part)
Attachment #9405306 - Attachment description: WIP: Bug 1768724 - Part 1: Add a preference and policy for Microsoft SSO on macOS (Non-Necko Part) → Bug 1768724 - Part 1: Add a preference and policy for Microsoft SSO on macOS (Non-Necko Part)
Attachment #9417343 - Attachment description: Bug 1768724 - Part 3: Add support for Microsoft SSO on macOS (Necko Part) → WIP: Bug 1768724 - Part 3: Add support for Microsoft SSO on macOS (Necko Part)
Attachment #9417343 - Attachment description: WIP: Bug 1768724 - Part 3: Add support for Microsoft SSO on macOS (Necko Part) → Bug 1768724 - Part 3: Add support for Microsoft SSO on macOS (Necko Part)
Attachment #9405306 - Attachment description: Bug 1768724 - Part 1: Add a preference and policy for Microsoft SSO on macOS (Non-Necko Part) → Bug 1768724 - Part 1: Add a preference and policy for Microsoft SSO on macOS (Non-Necko Part) r=mkaply
Attachment #9417343 - Attachment description: Bug 1768724 - Part 3: Add support for Microsoft SSO on macOS (Necko Part) → WIP: Bug 1768724 - Part 3: Add support for Microsoft SSO on macOS (Necko Part)
Attachment #9417343 - Attachment description: WIP: Bug 1768724 - Part 3: Add support for Microsoft SSO on macOS (Necko Part) → Bug 1768724 - Part 3: Add support for Microsoft SSO on macOS (Necko Part) r=#necko
Attachment #9412770 - Attachment description: Bug 1768724 - Part 2: Add MS SSO Authority List and Initialize HttpMacOSXUtils r=#necko → Bug 1768724 - Part 2: Add MS SSO Authority List and Initialize MicrosoftEntraSSOUtils r=#necko
See Also: → 1878705
See Also: → 1870561
Pushed by sekim@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/277fe041eda5 Part 2: Add MS SSO Authority List and Initialize MicrosoftEntraSSOUtils r=necko-reviewers,kershaw
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 131 Branch
Status: RESOLVED → REOPENED
Keywords: leave-open
Resolution: FIXED → ---
Pushed by sekim@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0f7a7bba955f Part 3: Add support for Microsoft SSO on macOS (Necko Part) r=necko-reviewers,kershaw
Status: REOPENED → ASSIGNED
Blocks: 1917664
Keywords: leave-open
Attachment #9425684 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: This would postpone Microsoft SSO on macOS
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A, we just introduced a policy for other patches in https://bugzilla.mozilla.org/show_bug.cgi?id=1768724
  • Risk associated with taking this patch: Minimal
  • Explanation of risk level: This patch introduces a policy for existing patches already in beta (https://bugzilla.mozilla.org/show_bug.cgi?id=1768724)
  • String changes made/needed: N/A
  • Is Android affected?: no

So actually, this does have a string change, but on the ESR at least, we've allowed English policy strings. Hoping that can be allowed here.

Hi Mike! It's a little late in the cycle for a string change unfortunately. NIing flod though just in case

Flags: needinfo?(francesco.lodolo)

beta Uplift Approval Request

  • User impact if declined: This would postpone Microsoft SSO on macOS
  • Code covered by automated testing: no
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A, we just introduced a policy for other patches in https://bugzilla.mozilla.org/show_bug.cgi?id=1768724
  • Risk associated with taking this patch: Minimal
  • Explanation of risk level: This patch introduces a policy for existing patches already in beta (https://bugzilla.mozilla.org/show_bug.cgi?id=1768724)
  • String changes made/needed: English policy strings
  • Is Android affected?: no
Pushed by sekim@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b5f67647ff55 Part 1: Add a preference and policy for Microsoft SSO on macOS (Non-Necko Part) r=fluent-reviewers,mkaply,mossop,bolsson
Flags: needinfo?(sekim)
Pushed by sekim@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c23036c1ed6f Part 1: Add a preference and policy for Microsoft SSO on macOS (Non-Necko Part) r=fluent-reviewers,mkaply,mossop,bolsson

I'm confused. This patch has been around for a while, what is the urgency? While the string is not highly visible, it will still trigger a warning in console when you open about:policies, so the timing is not great (3 days from freeze for beta and this hasn't landed in mozilla-central yet, no locale will have it).

I would also point out that a completely different version of the string was reviewed and approved

policy-macOSSSO = Allow macOS single sign-on for Microsoft, work, and school accounts.

Now I see this, which would probably benefit from a comment about Entra.

policy-MicrosoftEntraSSO = Allow single sign-on for Microsoft Entra accounts.

P.S. :bolsson is the right person to reach out to for uplift requests, he's the one doing most of Firefox l10n these days

Flags: needinfo?(francesco.lodolo)
Status: ASSIGNED → RESOLVED
Closed: 2 months ago1 month ago
Resolution: --- → FIXED

flod, you're right, we'll let it ride the trains. And I'll get a comment on that string.

Attachment #9425684 - Attachment is obsolete: true
Attachment #9425684 - Flags: approval-mozilla-beta?

Did you want to nominate this for the Fx132 relnotes? Please set the relnote-firefox flag to ? and fill out the auto-populated form if so. Though I'm a bit confused by the status of this bug. It looks like the majority of the work landed in Fx131 with just the enterprise policy pref patch landing in Fx132? So does this need to go into the Fx131 relnotes actually?

Flags: needinfo?(sekim)
Target Milestone: 131 Branch → 132 Branch

I think I'm just going to cover it in the enterprise release notes.

Flags: needinfo?(sekim)
Pushed by flodolo@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/75aad5e2c99c Update translation comment. r=flod,fluent-reviewers DONTBUILD

A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)

Attachment #9431059 - Flags: approval-mozilla-esr128?
Attachment #9431059 - Attachment is obsolete: true
Attachment #9431059 - Flags: approval-mozilla-esr128?
Attachment #9431436 - Flags: approval-mozilla-esr128?

esr128 Uplift Approval Request

  • User impact if declined: Wanted for feature parity with release
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A
  • Risk associated with taking this patch: Low
  • Explanation of risk level: Patch only applies to Msft SSO case
  • String changes made/needed: Policy description
  • Is Android affected?: no
Attachment #9431588 - Flags: approval-mozilla-esr128?
Attachment #9431589 - Flags: approval-mozilla-esr128?
Attachment #9431590 - Flags: approval-mozilla-esr128?
Attachment #9431591 - Flags: approval-mozilla-esr128?
Attachment #9431592 - Flags: approval-mozilla-esr128?
Attachment #9431593 - Flags: approval-mozilla-esr128?
Attachment #9431594 - Flags: approval-mozilla-esr128?
Attachment #9431595 - Flags: approval-mozilla-esr128?
Attachment #9431596 - Flags: approval-mozilla-esr128?
Attachment #9431588 - Attachment is obsolete: true
Attachment #9431588 - Flags: approval-mozilla-esr128?
Attachment #9431594 - Attachment is obsolete: true
Attachment #9431594 - Flags: approval-mozilla-esr128?
Attachment #9431590 - Attachment is obsolete: true
Attachment #9431590 - Flags: approval-mozilla-esr128?
Attachment #9431592 - Attachment is obsolete: true
Attachment #9431592 - Flags: approval-mozilla-esr128?
Attachment #9431593 - Attachment is obsolete: true
Attachment #9431593 - Flags: approval-mozilla-esr128?
Attachment #9431595 - Attachment is obsolete: true
Attachment #9431595 - Flags: approval-mozilla-esr128?
Attachment #9431596 - Attachment is obsolete: true
Attachment #9431596 - Flags: approval-mozilla-esr128?
Attachment #9431436 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9431589 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9431591 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+

When we uplift patches with string changes, we should also pick up updates to localization, similarly to what was done in
https://hg.mozilla.org/releases/mozilla-esr128/rev/4298182958afcf96c6ba2f16aa46db003e041f84

Could someone land a patch for that? There's no real need of review from l10n (in case, flag :bolsson).

Sorry, I thought I remembered enterprise policies being less strict around that. I'll get it, thanks for the ping.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: