Microsoft Single Sign On extension support

Starting in version 38.126.83.73, OpenFin supports the Microsoft Single Sign On extension for Chrome.
This support enables OpenFin applications as well as content and integrations using Microsoft Entra ID as the authentication mechanism to automatically log in when the desktop environment is an Entra-controlled device.
It also enables the Conditional Access capability of Microsoft Entra ID, based on device properties and location.
Conditional Access is Microsoft's Zero Trust policy engine that takes signals from various sources into account when enforcing policy decisions.

How it works

An application developer declares in the application’s manifest that it uses the Microsoft Single Sign On extension by providing the ID of the extension and a URL of an extension server that it can be installed from.
To use the "default" location, specify the Chrome Web Store URL.

The URL to use for downloading from the Chrome Web Store is https://clients2.google.com/service/update2/crx.
This is different from the URL of Chrome Web Store website.

To guard against malicious actors, extension server URLs must be specified in either a trusted application configuration or desktop owner settings (DOS).
If an application manifest specifies an extension server URL that is not also in one of these two places, the definition is considered invalid, that URL is not used, and the extension is not installed.

The precedence for the extension server URL definition is:

1. Desktop owner settings

2. Trusted application configuration

When the application starts, if its extension definition is valid and the extension is not installed, then the OpenFin Runtime installs it from a server as specified in the settings.
If the extension is already installed and the application has a valid definition for it, then the Runtime enables it.

How to use it

Application developers add an extensions property to the application’s manifest, declaring that the application uses the Microsoft Single Sign On extension.

An application developer can define trusted servers for the extension in a trusted application configuration.
A desktop owner can do similarly in desktop owner settings.

Manifest configuration

To enable Entra ID support in your application manifest, you specify the Microsoft Single Sign On extension with the top-level extensions property.

You must also add a security realm argument to the runtime property.
See Security realms for details.

{
  "platform": { ... },
  "extensions": [
    {
      "id": "ppnbnpeolgkicgegkbkbjmhlideopiji",
      "serverURL": "https://EXTENSION_SERVER.com"
    }
  ]
  "runtime": {
        "arguments": "--security-realm=[REALM_ID]",
        "version": "38.126.83.73"
  }
}

The value in this code example for the id property, "ppnbnpeolgkicgegkbkbjmhlideopiji", is the literal value for the Microsoft Single Sign On extension on the Chrome Web Store site.

The value shown above for the id property, "ppnbnpeolgkicgegkbkbjmhlideopiji", is the literal value for the Microsoft Single Sign On extension on the Chrome Web Store site.
You must use this value for this extension.

Desktop Owner Settings (DOS)

Administrators can configure extension server URLs using the extensionServerURLs property in desktop owner settings. Its value is an array of server URLs of trusted sources for the Microsoft Single Sign-on extension.

{ "desktopSettings": {
    ...
    "extensionServerURLs": [
      "https://clients2.google.com/service/update2/crx",
      "https://clients2.google.com",
      "https://CUSTOM-EXTENSIONS-STORE.EXAMPLE.com",
      "https://ANOTHER-EXTENSIONS-STORE.com"
    ]
  }
}

Trusted application configurations

For application vendors, a trusted application configuration can be used to define allowed extension servers.
Provide the URL of one or more extension servers when you submit your application configuration to OpenFin. See trusted application configuration for details.

End-user experience

Once configured, the Entra ID login works automatically for users on domain-joined Windows devices.
No additional code is required in your application to enable this functionality.

Security Considerations

• Always use trusted sources for the Microsoft Single Sign-On extension.

• Ensure that your Conditional Access policies are properly configured in your Entra ID admin panel.

Limitations

• This feature is supported only on Windows devices. It is not available for macOS.

• Only the Microsoft Single Sign-On extension is supported; no other Chrome extensions are supported.

Troubleshooting

If users experience issues with automatic login:

1. Check that the extension is properly installed and enabled in the OpenFin Runtime, through one of the methods described in this article.
   Make sure that you have defined a security realm in the application manifest.

2. Ensure that the user has the necessary permissions in your Entra ID configuration.

Additional Resources

For more information on Microsoft Entra and Conditional Access, refer to the official Microsoft documentation (links are subject to change without notice):

• Microsoft Entra ID Overview

• Conditional Access in Microsoft Entra ID