Extensible SSO and sample code

Much of the "What's new in Managing Devices" session was spend on Extensible SSO, which seems very interesting.

https://developer.apple.com/documentation/devicemanagement/extensiblesinglesignonsso


I understand that this is not the same as "Sign in with Apple."


Are there resources for sample code for SSO extensions? What's the API that apps will need to take advantage of the SSO extensions? ASWebAuthenticationSession or something else?


Specifically, I'm trying to get a sense of how much effort existing apps will need to adopt this system, and how quickly SSO providers will be providing solutions.


Thanks!

Aaron

Accepted Reply

There is a techtalk video on this topic, that seems to go more into details

https://developer.apple.com/videos/play/tech-talks/301/

Replies

I have a similar question. I have an app that implements the extension but I can't get it to actually add a header to an HTTP request. I'm assuming if I go to the url listed in the MDM profile it will add the header, but I'm not seeing that.


import UIKit
import AuthenticationServices


class AuthenticationViewController: UIViewController {


    var authorizationRequest: ASAuthorizationProviderExtensionAuthorizationRequest?


    override func loadView() {
        super.loadView()
        // Do any additional setup after loading the view.
    }


    override var nibName: String? {
        return "AuthenticationViewController"
    }
}


extension AuthenticationViewController: ASAuthorizationProviderExtensionAuthorizationRequestHandler {
    
    public func beginAuthorization(with request: ASAuthorizationProviderExtensionAuthorizationRequest) {
        self.authorizationRequest = request


        // Call this to indicate immediate authorization succeeded.
        let authorizationHeaders: [String: String] = ["Authorization" : "API mytoken"] // TODO: Fill in appropriate authorization headers.
        request.complete(httpAuthorizationHeaders: authorizationHeaders)
       
        // Or present authorization view and call self.authorizationRequest.complete() later after handling interactive authorization.
        // request.presentAuthorizationViewController(completion: { (success, error) in
        //     if error != nil {
        //         request.complete(error: error!)
        //     }
        // })
    }
}

mdm profile looks like:

  ExtensionIdentifier
  com.example.Example-Authenticator.Example-SSO
  PayloadDescription
  Configures Single Sign-On Extensions
  PayloadDisplayName
  Single Sign-On Extensions
  PayloadIdentifier
  com.apple.extensiblesso.F161FF82-39EB-41F8-9964-CF0EA36AEBBA
  PayloadType
  com.apple.extensiblesso
  PayloadUUID
  F161FF82-39EB-41F8-9964-CF0EA36AEBBA
  PayloadVersion
  1
  Type
  Redirect
  URLs
  
  https://company.example.com
  
 


I was expecting if I just go to https://company.example.com in safari I would see the header. It's a debug build of the app.

Is there still no sample code for implemeting this?

Does your server have .well-known/associated.... json file?

Has anyone had any luck getting their extension to fire? I believe I've got everything setup but it just doesn't trigger and I have no idea why.

Is there any samples available from wwdc demo? for Enterprise extn SSO

There is a techtalk video on this topic, that seems to go more into details

https://developer.apple.com/videos/play/tech-talks/301/

Seems like you're confusing 2 types of the SSO extensions.

If you want to provide headers, your extension should be of a Credential type, not Redirect.

Redirect extension is for handling requests.

Credential requests is for handling challenges.

Can I use this code for Redirect Extension?

var authController : ASAuthorizationController?
let authProvider = ASAuthorizationSingleSignOnProvider(identityProvider: URL(string: "https://example.com")!)

    @IBAction func logIn(_ sender: Any) {
        if self.authProvider.canPerformAuthorization {
            let request = self.authProvider.createRequest()
            request.requestedOperation = ASAuthorization.OpenIDOperation.operationLogin
            self.authController = ASAuthorizationController(authorizationRequests: [request])
            self.authController?.delegate = self
            self.authController?.presentationContextProvider = self
            self.authController?.performRequests()
        }
    }

Any update on it as we are also looking for some sample codes on it.