OAuth 2.0 adaptation really shines when coupled with another new feature announced at WWDC 22:
Enrolment Single Sign-On
Apple is once more building on past announcements from previous technologies like extensible SSO introduced in iOS 13 and Account-Driven User enrolment in iOS 15, combining these two technologies together to give us Enrolment Single Sign-On. This will now allow users to access their organisation’s apps and data with their personal devices faster than ever before, all with the use of a single form of authentication.
In order to take advantage of Enrolment SSO, four key components need to be in place:
1 – The app developer needs to update their App to support enrolment SSO.
2 – A MDM vendor federates MDM protocol client authentication with an IdP.
3 – Administrators must set up managed Apple IDs.
4 – Administrators need to configure the MDM server to return a URL to a JSON document in the auth response headers.
When it comes to the enrolment of SSO, the end user will:
1 – Need to enter their email address within Settings.
2 – Be prompted to download the app from the App Store – this will contain the SSO extension.
3 – Be required to sign-in once only for enrolment, access to apps and corporate data.
With more organisations moving towards BYOD iOS devices, rather than corporately owned devices, enrolment SSO is an opportunity to adopt iOS device leveraging corporate identities, while providing an easy to complete workflow for users to enrol.
Platform SSO for macOS
Apple is building on its SSO framework for macOS, which was first introduced at WWDC 2019 and launched with Catalina. This initial release of SSO extensions allowed identity providers to use SSO authentication for all apps and websites for their users. However, what it meant for the user was that they would have to enter their credentials twice after unlocking a device, even though in many cases all credentials were identical.
With the introduction of macOS Ventura, Apple has built out this SSO framework to become a true Platform Single Sign-On or Platform SSO. Platform SSO will enable users to sign in once at the login window, then automatically sign into apps and websites associated with the organisation’s identity provider for authentication.
The first login attempt authenticates with a local account password, which also unlocks Filevault encryption on the device, enabling the user to login when offline or when connected to captive networks. From then on, the user can use their identity provider’s password to unlock their macOS device. This process is backed by Apple’s platform security, leveraging the secure enclave to authenticate with the IdP then SSO tokens can be stored in the keychain and made available to the existing SSO extension.
While platform SSO will provide a seamless one-time login experience, it will also validate the local computer password against the identity provider. If the local computer password is out of sync with the IdP then the computer password will be adjusted accordingly.
It’s clear that Apple is pushing forward to allow organisations to truly drop the bind from Active Directory and leverage modern identities on macOS devices. It’s now in the hands of the IdPs to implement the protocols and build the necessary extensions and for device management vendors to update their extensible SSO to support the changes.
During Apple’s announcement for “What’s new in managing Apple devices” Apple stated their bold claim for identity is for users to ’sign-in once’ and from then on use that identity consistently across the operating systems. It’s clear from what was announced by Apple that they’re truly looking to make this happen, however, it’s next up to the IdPs and MDM vendors to have the same mind-set and adopt and take advantage of the new technologies announced at WWDC.
Although the new technologies announced are limited to their own use-cases, WWDC 2022 was a fantastic step forward towards ‘sign-in once’.
Kyle Hoare, Apple Solutions Architect, Mac Centre.
For more information or to enquire about a demo. Contact us today.