SSO Extension for the enterprise

Question

Created Jun ’20

Replies 3

Boosts 0

Views 2.3k

Participants 3

After looking at last year's wwdc video on SSO Extensions for the enterprise (https://developer.apple.com/videos/play/tech-talks/301) I've been trying to implement this feature for my company.

As described in the video I made sure that the components are set up as expected:

Put apple-app-site-association file on the domain from our login service.
Configured and Pushed an MDM SSO Extension config profile for my managed device that I use during my test. In the profile I've placed the domains of our federation service and the type of extension (redirect)
In my local app I added the extension target and added the beginAuthorization(with request: ASAuthorizationProviderExtensionAuthorizationRequest) handler
Configured associated domains capability in my host/demo app
Added the mdm entitlements com.apple.developer.associated-domains.mdm-managed

In my host app I now want to start testing the whole set up but I'm quite stuck on where to go.

In my sample I initialise an authProvider:

let authProvider = ASAuthorizationSingleSignOnProvider(identityProvider: URL(string:"https://myservicedotcom/as/authorization.oauth2")!)

Unfortunately, I never make it to the next step where I'm for example being presented with a login dialogue.

Codewise, I'm not ending up in my if condition:

self.authProvider.canPerformAuthorization {
      let request = self.authProvider.createRequest()
      request.requestedOperation = ASAuthorization.OpenIDOperation.operationLogin
      self.authController = ASAuthorizationController(authorizationRequests: [request])
      self.authController?.delegate = self
      self.authController?.presentationContextProvider = self as! ASAuthorizationControllerPresentationContextProviding
      self.authController?.performRequests()
    } else {
      print("error")
    }

Am I missing some kind of other component allowing me to start logging in? Can I put in place some components allowing me to better debug this setup getting to the root cause?

Boost

Answer 1

Security Engineer OP

Apple

Jun ’20

Hello,

There are a couple of additional diagnostic steps you can take. 1) Take a sysdiagnose for your device and check the swcutil_show.txt file in it. Search for your domain and check that it was successful. If it wasn't successful, resolve this before proceeding. 2) install the Single Sign-On debug profile from the developer site to add additional logs to the console logs. Check for applicable errors when you make the canPerformAuthorization call in your app. This should help you see where it is not working for you.

If you see an error that doesn't make sense, please reach out again.

0

Answer 2

BarryK88 OP

Sep ’20

Dear support,

I've been trying to proceed to fix this issue. Managed to setup associated domains as I do get the 'open your app'- toolbar inside safari + when pressing the link my app is opened i.s.o. Safari. For the authsrv value I see -> "Site/Fmwk Approval: denied." It seems that something is not set correct yet.

Looking at your 1st suggestion I found the following:

Service: authsrv
App ID: <myTeamID>.<mybundleID>
App Version: 1
Domain: mydomain.com
User Approval: unspecified
Site/Fmwk Approval: denied
Flags:
Last Checked: 2020-09-22 14:49:49 +0000
Next Check: 2020-09-27 14:02:22 +0000

Service: applinks
App ID: <myTeamID>.<mybundleID>
App Version: 1
Domain: mydomain.com
Patterns: {"/":"*"}
User Approval: unspecified
Site/Fmwk Approval: approved
Flags:
Last Checked: 2020-09-22 14:49:49 +0000
Next Check: 2020-09-27 14:02:22 +0000

Service: authsrv
App ID: <myTeamID>.<mybundleID>
App Version: 1
Domain: myotherdomain.com
User Approval: unspecified
Site/Fmwk Approval: denied
Flags:
Last Checked: 2020-09-22 15:03:35 +0000
Next Check: 2020-09-27 14:16:08 +0000

Service: applinks
App ID: <myTeamID>.<mybundleID>
App Version: 1
Domain: myotherdomain.com
Patterns: {"/":"*"}
User Approval: unspecified
Site/Fmwk Approval: approved
Flags:
Last Checked: 2020-09-22 15:03:35 +0000
Next Check: 2020-09-27 14:16:08 +0000

Service: applinks
App ID: 6U3RF4C84N.com.pingidentity.pingid.prod
App Version: 1133
Domain: idpxnyl3m.pingidentity.eu
Patterns: {"/":"/pingid/*"}
User Approval: unspecified
Site/Fmwk Approval: approved
Flags:
Last Checked: 2020-09-23 12:21:31 +0000
Next Check: 2020-09-28 11:34:04 +0000

Service: applinks
App ID: 6U3RF4C84N.com.pingidentity.pingid.prod
App Version: 1133
Domain: idpxnyl3m.pingidentity.com
Patterns: {"/":"/pingid/*"}
User Approval: unspecified
Site/Fmwk Approval: approved
Flags:
Last Checked: 2020-09-23 12:21:32 +0000
Next Check: 2020-09-28 11:34:05 +0000

Service: applinks
App ID: 6U3RF4C84N.com.pingidentity.pingid.prod
App Version: 1133
Domain: idpxnyl3m.pingidentity.com.au
Patterns: {"/":"/pingid/*"}
User Approval: unspecified
Site/Fmwk Approval: approved
Flags:
Last Checked: 2020-09-23 12:21:33 +0000
Next Check: 2020-09-28 11:34:06 +0000

I'll investigate on your second suggestion and reply in a separate comment.

Best regards.

Barry

0

Answer 3

Lucianosjc OP

Apr ’21

Hello Folks

Have you got this to work ? I'm trying to setup a new SSO Extension but it does not work at all. Here is what I did :
1) I have followed the steps on the Tech Talk to configure the MDM payload in Airwatch.
2) I have installed Debug profiles that apple suggested for troubleshooting
3) I have created a "dummy" Identity provider.
a. I understand that we need to setup a URL that will be detected by iOS and redirected to the extension.
I have created a simple webpage in a valid/secured webserver and used that URL as my IdP
b. In the dummy website, I have created the ".wellknown/*" file
c. I have triggered the sysdiagnose command on my iPad. The authsrv entry seems fine. I guess it is because the Apple CDN can successfuly access the well known file... I'm not sure because I have not found a solid documentation on how this is supposed to work anywhere.
d. The MDM settings are sent to the device properly.
e. I have tried opening the device console but I could not see any useful information there, even after installing the SSO profile in the device.
4) I have a main app where I already use ASWebAuthenticationSession to get the SAML/OAuth token. This already work. Based on the tech talk, I'd assume that Enterprise SSO would work OOTB, but nothing happens, just the regular SAML flow is executed, the SSO extension is never triggered.

Do we have any troubleshooting tools for this ? To find out why the extension is not being triggered? Any way to get specific log files that bring up useful information about the SSO process?

Thanks

Luciano

0