New Paltz CAS 2FA and Windows SSO don't play nice together in Firefox

New Paltz CAS 2FA and Windows SSO don’t play nice together in Firefox

CAS is the Central Authentication Service for our campus.  Whenever you log in to a service CAS is used to either check that you have already been properly authenticated or to have you authenticate, including two-factor authentication (2FA) using Duo.

Windows SSO (Single Sign-On) is a similar mechanism for allowing you to connect to various on-line services using your Microsoft Windows account.  The Firefox browser has recently added support for Windows SSO for Windows 101 (as of Version 91 from August 10, 2021).

Unfortunately CAS seems to fail when using Firefox with Windows SSO support turned on.  The result is the warning you get at the top of this page.   The solution is to turn off Windows SSO support.  To do so, pull down “Settings” from the “hamburger” icon in upper left corner, select “Privacy & Security” and then uncheck the box where it says “Allow Windows single sign-on for Microsoft, work, and school accounts”.  The result should look like this:

Now you should have no problem authenticating to CAS.

Update – January 2022

In mid January 2022 the problem returned when I updated to Firefox version 96.0.1.  On MacOS 12.1 (Monterey) the checkbox mentioned above is no longer there.  On Windows 10 it’s there, but unchecking it does not solve the problem.

Our campus documentation suggests clearing all cookies, which of course has consequences far outside of just the one website I’m trying to visit.  I found that deleting all cookies from just the domain microsoftonline.com fixed the problem.

Notes

  1. See  <a href="https://support.mozilla.org/en-US/kb/windows-sso">https://support.mozilla.org/en-US/kb/windows-sso</a>
Print Friendly, PDF & Email