Taking a Deep Dive into the iOS SSO Extension for Azure SSO with Workspace ONE

Recently, I wrote about a new design idea eliminating all hosted infrastructure for a full Workspace ONE deployment. I really loved the idea because you can eliminate the need for servers, but the one gap that we run into is iOS authentication on Office 365. Today, we have found a solution leveraging the new Azure seamless SSO powered by Apple’s new SSO extensions. We’ll discuss the problem, cover how to fix it, show a demo of how it ACTUALLY works, and a user experience demo as well.

Why isn’t Azure SSO Seamless on Apple Devices?

Historically, the rule of thumb with Microsoft is they are amazing at Windows, but they start to fall off the cliff once they move outside of that area. Microsoft documents a list of the gaps that exist on Azure SSO here.

A few of the avenues that don’t work with Azure SSO are:

  • SSO doesn’t work in private browsing mode
  • SSO doesn’t work on mobile browsers
  • Only supports certain encryption types
  • Groups and Forests run cause issues

Microsoft has made some nice improvements by leveraging technologies like the My Apps Secure Sign-In Extension for Chrome to build a consistent experience, but overall their technology is largely based on Kerberos.

Seamless Single Sign On - Web app flow

On iOS, their SSO strategy is focused on a few different options:

  • Mobile SSO powered by Kerberos and a Certificate to renew.
  • SSO Extensions (which we will talk about later).

We haven’t had a viable way to move forward until now with the inclusion of the iOS and MacOS capability known as SSO Extensions.

Implementing iOS SSO Extensions for Azure Seamless SSO

The setup for Azure SSO is relatively simple, but we should cover it properly.

We configure it as the following:

  • Set it as Redirect
  • Set the Identifier: com.microsoft.azureauthenticator.ssoextension
  • URLs can be found below:
https://login.microsoftonline.com
https://login.microsoft.com
https://sts.windows.net
https://login.partner.microsoftonline.cn
https://login.chinacloudapi.cn
https://login.microsoftonline.de
https://login.microsoftonline.us
https://login.usgovcloudapi.net
https://login-us.microsoftonline.com

The last aspect of the setup are custom attributes that you can set. You can see the full list here but I will list the most common below:

AppAllowList: Let's your specify what Apps are allowed to use the SSO extension
Browser_sso_interaction_enabled: Let's your leverage SSO for non-ADAL apps or the Safari browser
Disable_explicit_app_prompt: Disables the ability for native and web apps to force an end-user prompt on the protocol layer and bypass SSO

The suggested code for the XML in the profile is:

<dict>
    <key>browser_sso_interaction_enabled</key>
    <integer>1</integer>
    <key>disable_explicit_app_prompt</key>
    <integer>1</integer>
   <key>AppAllowList</key>
  <string> com.microsoft.skydrive,com.apple.mobilesafari,com.microsoft.azureauthenticator</string>
</dict>

The finished product can be seen below:

Functionality Demo of SSO Extensions in Azure SSO on iOS

You can see a nice little demo below of how the Azure SSO Extensions work. Essentially, they work the same way that connecting a PC to a “Work or School Account” works where it will add a connected identity and let you login seamlessly.

Azure SSO Extension User Experience Demo

Now, a quick user experience demo of the Azure SSO extension:

Final Thoughts

The Azure SSO Extension is a nice cherry on the top of my Workspace ONE design on its “Azure” diet. The only gap that I really had was seamless authentication, which we solve with the Azure SSO extension. The overwhelming point is a simple one: there is no acceptable situation where inputting a password is okay. Let’s strive and push everyone to build with user experience at the forefront. The only right user experience is a great one.

11 thoughts on “Taking a Deep Dive into the iOS SSO Extension for Azure SSO with Workspace ONE”

  1. hi, I’ve worked loads with WS1, but not so much with XML codes…
    if you still have this profile in your WS1 console where you created this demo, would you be able to provide a copy paste of your XML code you deployed?
    I just have NO idea how to structure the XML, to add in the AppAllowList, and the actual app IDs…
    thanks in advance

      1. thanks for the quick reply. what I meant was, which are the missing bits of the XML code that go in front and after the text mentioned here ( , , etc… that’s the part that throws me off, unfortunately…

        where does the above text you posted above, fit into the below XML, and what bits of the XML are missing to the above to make it work alongside the web apps, so both work in one XML code? unsure if my clarification makes sense… :

        browser_sso_enabled
        1
        disable_explicit_app_prompt
        1

      2. this is awesome, should ease up some of the issues we’ve been having…
        thank’s a lot for that, and for the quick replies.
        genuinely…
        wishing you to have a nice day 😊

      3. apologies, I should have asked this previously…
        do you know if the XML code structure provided above will also work with SSO extension profiles for macOS?

  2. Hello,
    Is it working only with web 0365 apps?
    Is it possible with apps like one drive for iOS ? outlook on iOS ?
    Thanks.

      1. I got it to work. Update your custom XML to this: (I added in an App Allow List and now it works better)


        browser_sso_interaction_enabled
        1
        disable_explicit_app_prompt
        1
        AppAllowList
        com.microsoft.skydrive,com.apple.mobilesafari,com.microsoft.azureauthenticator

Leave a Reply

Scroll to Top
%d bloggers like this: