Single-sign-on stuff can be fixed by redirecting through the authenticator domain and passing the token or whatever back as a url parameter.

> You can turn them off.

Of course I did, long ago. The issue is that they're on by default. And defaults matter a lot because most people don't change them.

That would have to get fixed by the corporate maintaining that SSO. I even tried whitelisting domains, but it's also PITA since MS redirects you through 10 domains or so. Now I'm using cookie autoeater almost everywhere... so feel free to save your cookies, as soon as I close the tab they are all gone. I have to login every time, but saved passwords solve it reasonably well.