Recently, I wrote about a new design idea eliminating all hosted infrastructure for a full Workspace ONE deployment. I really loved the idea because you can eliminate the need for servers, but the one gap that we run into is iOS authentication on Office 365. Today, we have found a solution leveraging the new Azure seamless SSO powered by Apple’s new SSO extensions. We’ll discuss the problem, cover how to fix it, show a demo of how it ACTUALLY works, and a user experience demo as well.
Why isn’t Azure SSO Seamless on Apple Devices?
Historically, the rule of thumb with Microsoft is they are amazing at Windows, but they start to fall off the cliff once they move outside of that area. Microsoft documents a list of the gaps that exist on Azure SSO here.
A few of the avenues that don’t work with Azure SSO are:
- SSO doesn’t work in private browsing mode
- SSO doesn’t work on mobile browsers
- Only supports certain encryption types
- Groups and Forests run cause issues
Microsoft has made some nice improvements by leveraging technologies like the My Apps Secure Sign-In Extension for Chrome to build a consistent experience, but overall their technology is largely based on Kerberos.
On iOS, their SSO strategy is focused on a few different options:
- Mobile SSO powered by Kerberos and a Certificate to renew.
- SSO Extensions (which we will talk about later).
We haven’t had a viable way to move forward until now with the inclusion of the iOS and MacOS capability known as SSO Extensions.
Implementing iOS SSO Extensions for Azure Seamless SSO
The setup for Azure SSO is relatively simple, but we should cover it properly.
We configure it as the following:
- Set it as Redirect
- Set the Identifier: com.microsoft.azureauthenticator.ssoextension
- URLs can be found below:
https://login.microsoftonline.com
https://login.microsoft.com
https://sts.windows.net
https://login.partner.microsoftonline.cn
https://login.chinacloudapi.cn
https://login.microsoftonline.de
https://login.microsoftonline.us
https://login.usgovcloudapi.net
https://login-us.microsoftonline.comThe last aspect of the setup are custom attributes that you can set. You can see the full list here but I will list the most common below:
AppAllowList: Let's your specify what Apps are allowed to use the SSO extension
Browser_sso_interaction_enabled: Let's your leverage SSO for non-ADAL apps or the Safari browser
Disable_explicit_app_prompt: Disables the ability for native and web apps to force an end-user prompt on the protocol layer and bypass SSOThe suggested code for the XML in the profile is:
<dict>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
<key>AppAllowList</key>
<string> com.microsoft.skydrive,com.apple.mobilesafari,com.microsoft.azureauthenticator</string>
</dict>The finished product can be seen below:
Functionality Demo of SSO Extensions in Azure SSO on iOS
You can see a nice little demo below of how the Azure SSO Extensions work. Essentially, they work the same way that connecting a PC to a “Work or School Account” works where it will add a connected identity and let you login seamlessly.
Azure SSO Extension User Experience Demo
Now, a quick user experience demo of the Azure SSO extension:
Final Thoughts
The Azure SSO Extension is a nice cherry on the top of my Workspace ONE design on its “Azure” diet. The only gap that I really had was seamless authentication, which we solve with the Azure SSO extension. The overwhelming point is a simple one: there is no acceptable situation where inputting a password is okay. Let’s strive and push everyone to build with user experience at the forefront. The only right user experience is a great one.
This is great and really helped what I was doing with access to SharePoint in the managed VMWare Web browser. One Issue I’m now seeing is for devices we manage that have always on VPN with a global proxy setup. A location dropdown list in SharePoint (in the Web app) no longer seems to load when on VPN, with VPN off the location list loads fine. So just wondering what the custom xml is really doing when on VPN and passing through to SharePoint running in Web?
Azure AD.
We only have iOS devices managed by WS1 UEM/Access) and we need Azure AD for Windows.
Who’s your IDP? Azure?
hi, I’ve worked loads with WS1, but not so much with XML codes…
if you still have this profile in your WS1 console where you created this demo, would you be able to provide a copy paste of your XML code you deployed?
I just have NO idea how to structure the XML, to add in the AppAllowList, and the actual app IDs…
thanks in advance
thanks for the quick reply. what I meant was, which are the missing bits of the XML code that go in front and after the text mentioned here ( , , etc… that’s the part that throws me off, unfortunately…
where does the above text you posted above, fit into the below XML, and what bits of the XML are missing to the above to make it work alongside the web apps, so both work in one XML code? unsure if my clarification makes sense… :
browser_sso_enabled
1
disable_explicit_app_prompt
1
Sorry it didn’t paste properly
I updated my article with a code section for the xml for you
this is awesome, should ease up some of the issues we’ve been having…
thank’s a lot for that, and for the quick replies.
genuinely…
wishing you to have a nice day 😊
apologies, I should have asked this previously…
do you know if the XML code structure provided above will also work with SSO extension profiles for macOS?
Yes it should
Hello,
Is it working only with web 0365 apps?
Is it possible with apps like one drive for iOS ? outlook on iOS ?
Thanks.
From my recollection, only works in the web. I’ll have to do more testing there
I got it to work. Update your custom XML to this: (I added in an App Allow List and now it works better)
Hi MB,
So SSO does work for the iOS MS Office Apps (Outlook, OneDrive, PPT, excel) ?
No password is required ..right ?
Thanks,
Kev
Yes provided we’re talking about modern authentication for office 365. Who is your IDP?