Recently, I wrote about a new design idea eliminating all hosted infrastructure for a full Workspace ONE deployment. I really loved the idea because you can eliminate the need for servers, but the one gap that we run into is iOS authentication on Office 365. Today, we have found a solution leveraging the new Azure seamless SSO powered by Apple’s new SSO extensions. We’ll discuss the problem, cover how to fix it, show a demo of how it ACTUALLY works, and a user experience demo as well.
Why isn’t Azure SSO Seamless on Apple Devices?
Historically, the rule of thumb with Microsoft is they are amazing at Windows, but they start to fall off the cliff once they move outside of that area. Microsoft documents a list of the gaps that exist on Azure SSO here.
A few of the avenues that don’t work with Azure SSO are:
- SSO doesn’t work in private browsing mode
- SSO doesn’t work on mobile browsers
- Only supports certain encryption types
- Groups and Forests run cause issues
Microsoft has made some nice improvements by leveraging technologies like the My Apps Secure Sign-In Extension for Chrome to build a consistent experience, but overall their technology is largely based on Kerberos.
On iOS, their SSO strategy is focused on a few different options:
- Mobile SSO powered by Kerberos and a Certificate to renew.
- SSO Extensions (which we will talk about later).
We haven’t had a viable way to move forward until now with the inclusion of the iOS and MacOS capability known as SSO Extensions.
Implementing iOS SSO Extensions for Azure Seamless SSO
The setup for Azure SSO is relatively simple, but we should cover it properly.
We configure it as the following:
- Set it as Redirect
- Set the Identifier: com.microsoft.azureauthenticator.ssoextension
- URLs can be found below:
https://login.microsoftonline.com https://login.microsoft.com https://sts.windows.net https://login.partner.microsoftonline.cn https://login.chinacloudapi.cn https://login.microsoftonline.de https://login.microsoftonline.us https://login.usgovcloudapi.net https://login-us.microsoftonline.com
The last aspect of the setup are custom attributes that you can set. You can see the full list here but I will list the most common below:
AppAllowList: Let's your specify what Apps are allowed to use the SSO extension Browser_sso_interaction_enabled: Let's your leverage SSO for non-ADAL apps or the Safari browser Disable_explicit_app_prompt: Disables the ability for native and web apps to force an end-user prompt on the protocol layer and bypass SSO
The suggested code for the XML in the profile is:
<dict> <key>browser_sso_interaction_enabled</key> <integer>1</integer> <key>disable_explicit_app_prompt</key> <integer>1</integer> <key>AppAllowList</key> <string> com.microsoft.skydrive,com.apple.mobilesafari,com.microsoft.azureauthenticator</string> </dict>
The finished product can be seen below:
Functionality Demo of SSO Extensions in Azure SSO on iOS
You can see a nice little demo below of how the Azure SSO Extensions work. Essentially, they work the same way that connecting a PC to a “Work or School Account” works where it will add a connected identity and let you login seamlessly.
Azure SSO Extension User Experience Demo
Now, a quick user experience demo of the Azure SSO extension:
The Azure SSO Extension is a nice cherry on the top of my Workspace ONE design on its “Azure” diet. The only gap that I really had was seamless authentication, which we solve with the Azure SSO extension. The overwhelming point is a simple one: there is no acceptable situation where inputting a password is okay. Let’s strive and push everyone to build with user experience at the forefront. The only right user experience is a great one.