Good afternoon. I’ve been trying Microsoft SSO since it was announced and I noticed something I want to ask all.
When you click the Microsoft login button, a window to login into your Microsoft account is opened, but if you click on “Do not ask again” or similar in order to be able to log in quickly next time and have not to enter again your password, it doesn’t works and ask again for credentials.
I would ask you if there is the same for you or is something wrong on my side because I stored my Microsoft password on Passbolt and it’s funny having to log in with a passphrase in order to get the password to log in with SSO
When you click the Microsoft login button, a window to login into your Microsoft account is opened, but if you click on “Do not ask again” or similar in order to be able to log in quickly next time and have not to enter again your password, it doesn’t works and ask again for credentials.
Yes this is intentional. This is to prevent a scenario where an attacker is able to trigger a XSS inside the browser extension to be able to perform an action requiring privilege without user input. However this is customisable, not via the interface but environment variables or passbolt.php, by setting PASSBOLT_PLUGINS_SSO_SECURITY_PROMPT to false. It is on a not available via the UI for a good reason
I imagined that this was the reason, but I would like to know if there was something planned for the use case like I mentioned where I don’t know my Microsoft password and it is stored on Passbolt.
Maybe is possible to request Microsoft ask me to use the Microsoft Authenticator mobile app to confirm login instead of requiring the password?
Generally we would not recommend storing your SSO provider password in passbolt. Even if you use Microsoft Authenticator mobile app, one day they might request it for whatever reason. I would at least keep a copy somewhere else, or make sure to appoint another administrator in my org so that I can reset it.
