Introduction
In this exercise, we will focus on enabling Single Sign-On (SSO) for seamless user authentication across cloud and on-premises resources. We will also dive into the details of the Primary Refresh Token (PRT), a critical component of the SSO experience in hybrid identity environments. To test this setup, we’ll deploy a client machine and hybrid join it to Microsoft Entra ID.
Part 1.SSO and PRT introduction
Before creating our new device, let's discuss:
What is Single Sign-On (SSO)?
SSO is an authentication method that lets users sign-in to multiple applications and systems with a single set of login credentials. Authenticate once and access all the connected resources seamlessly.
Advantages:
Convenient for the user: they don't have to remember separate credentials for different applications.
Security: centralized management of authentication, if a user left the company all it's related access will be revoked. Users don't use the same password multiple times.
Efficiency: reduces the time needed for login. Reduces the number of tickets for the password reset.
Key Protocols Used in SSO
Two key protocol is used for SSO in the cloud.
1. SAML (Security Assertion Markup Language)
Open source standard to securely exchange authentication and authorization information between an Identity Provider (IdP) and a Service Provider (SP).
It uses an XML SAML assertion (security token) to provide the access to the service.
2. OpenID Connect (OIDC)
Built on top of Oauth2.0. Provides authentication by verifying the user's identity and issue an ID token.
ID token: Json web token (JWT) has claims about the user (like username, email, authorization status..)
How to decide which one to use?
Choose OIDC if you're working with modern, cloud-native apps or APIs that require lightweight communication and JSON support.
Opt for SAML if you're integrating with legacy applications or enterprise systems already using SAML.
Quick mention about the on-premise authentication protocols used for SSO:
1. Kerberos
A network authentication protocol that uses tickets to allow nodes to prove their identity in a secure manner.
Commonly used for SSO in Windows environments.
- WS-Federation Enables SSO by allowing trust relationships between security domains to federate identity. Commonly used for legacy systems for federated identity management. Example: Using Microsoft Entra ID to authenticate to SharePoint on-premises.
SSO options:
Active Directory Federation Service:
Used for federated domainsSeamless Single Sign-on:
Uses a combination of Kerberos and SAML for authentication.
Used in legacy Win 7 and 8.1.
3. Primary Refresh Token
Json web token issued for Win10 , Server 2016 and abowe, iOS, Android to enable SSO.
For Entra ID joined **or **hybrid joined device the PRT is issued when the user logs in.
For Entra ID registered device the PRT is issued when a user adds a secondary work/school account or enable "Allow my organization to manage this device" when signing in to a web application:
An Entra-joined machine is typically a corporate-owned device used in cloud-first scenarios where there is no on-premises infrastructure. Users sign in using their Microsoft Entra ID credentials, and the device is managed through Intune.
An Entra hybrid joined device is joined to the on-premise domain registered to Entra ID.It is typically corporate-owned and relies on the on-premises Active Directory for authentication. These devices can be managed using Group Policy, SCCM, or Intune.
An Entra-registered device is typically a BYOD (Bring Your Own Device) where users sign in with local or personal credentials rather than an organizational account. These devices can be managed using Intune or Microsoft Endpoint Manager (MEM).
Primary Refresh Token
Key terms
Cloud Authentication Provider - CloudAP:
- Handle the authentication process during login.
- Verify user credentials.
Entra CloudAP Plugin (CloudAP Plugin):
- Built on the CloudAP framework.
- Request the PRT.
- Cache the PRT for seamless access.
*Entra WAM plugin: *
- Enable SSO for application that rely on Entra ID for authentication.
- Allow the use of existing credentials.
DSREG:
- Entra component on a Windows 10 (and above) machine that handles device registrations. ! We will use dsreg command line tool a lot for checking status and troubleshooting.
What is in the PRT?
Device ID:
Identify the device to which the PRT is issued.
The deviceID claim is part of the tokens issued using the PRT.
It helps enforce Conditional Access policies by checking the device's state or compliance.
Tokens include this claim to ensure secure and policy-compliant access.
Session ID:
Encrypted symmetric key, generated by Entra authentication service, issued as part of the PRT.
Securely transferred to the clients machine and stored in the TPM.
Acts as a proof of possession when issuing for tokens.
(No one can extract it from the TPM)
Rotated if the key is older than 30 days.
How PRT is issued
PRT is issued only to Entra registered devices (joined, hybrid joined, registered).
During the registration process DSREG creates two asymetric key pairs:
- Device Key (dkpub/dkpriv): Key associated with a registered device, used to verify the device's identity to Microsoft Entra ID and other services.
- Transport Key (tkpub/tkpriv): Encrypts data during its transfer, ensuring secure communication between the client and the server.
The private keys are bound to the machine TPM (if has one) and the public is sent to Entra ID during the registration process.
How PRT is used
During user login the Entra CloudAP plugin request the PRT from Entra ID and caches it for seamless (or offline) use.
The WAM Plugin is used when the user tries to access an application.
Request access and refresh token to application using WAM plugin. Enables SSO by injecting the PRT into the browser request.
Browser SSO is supported on Microsoft Edge, Chrome (via Windows 10 Accounts), and Mozilla Firefox v91+ (with the Firefox Windows SSO setting).
For Entra ID registered devices the whole process is handled by the WAM plugin because there is no Windows login.
Lifespan of the PRT
The PRT is valid for 14 days and it is continuously renewed on active device.
Now, we know everything about SSO and PRT. We will try this out in the next post!
Top comments (0)