What is the right way to store user credentials?

Privacy & Security General
jakubfromtrnava OP
Created Jul ’20
Replies 1
Boosts 1
Views 2.5k
Participants 2
Hi, Im developing custom suite of apps for small business. We have custom backend that uses bearer token authentication. So user logs in and is granted an access and refresh token.

I want to a single sign on experience. Where user needs to sign in only to one app and have access to all other apps. However I'm getting confused of all the possible options for authentication iOS provides and how they work together.

Like password autofill, keychain, SSO extensions. For example:

  • what is the purpose of keychain sharing when password autofill can share credentials based on associated domains

  • should I somehow manually save credentials like password and username when password autofill is used

  • what is the difference between using shared keychain vs. SSO

Can any one clarify?

Thank you in advance😊
Answered by Systems Engineer in 623776022
The main thing to remember here is that all of these technologies can work together to accomplish a SSO experience for your users. From a non-MDM standpoint, Password AutoFill saves credentials into your Passwords and Accounts and utilizes iCloud Keychain to provide access to these credentials for a specific domains with APIs like ASWebAuthenticationSession. On the MDM-managed side of the house, capabilities like Enterprise SSO can be setup for specific domains to save credentials and then Authentication Services extensions are used to leverage those credentials when using protected resources through Safari or in a native macOS or iOS application. On the Enterprise side of the house keep in mind that you will also need an Identity Provider to manage the lifetime of these credentials, but the client side management can be the same. Take a look the Tech Talk 301, Introducing Extensible Enterprise SSO, for more information on how MDM managed SSO can work in your environment.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Replies  1
Boosts  1
Views  2.5k
Participants  2
Systems Engineer OP
Apple
Jul ’20
Accepted Answer
The main thing to remember here is that all of these technologies can work together to accomplish a SSO experience for your users. From a non-MDM standpoint, Password AutoFill saves credentials into your Passwords and Accounts and utilizes iCloud Keychain to provide access to these credentials for a specific domains with APIs like ASWebAuthenticationSession. On the MDM-managed side of the house, capabilities like Enterprise SSO can be setup for specific domains to save credentials and then Authentication Services extensions are used to leverage those credentials when using protected resources through Safari or in a native macOS or iOS application. On the Enterprise side of the house keep in mind that you will also need an Identity Provider to manage the lifetime of these credentials, but the client side management can be the same. Take a look the Tech Talk 301, Introducing Extensible Enterprise SSO, for more information on how MDM managed SSO can work in your environment.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
1
What is the right way to store user credentials?
First post date Last post date
 
 
Q