How to support kerberos SSO in app which is wkwebview based?

In general, requests issued by the web view should be considered as originating from your app, and thus Kerberos SSO should apply to them just like it’d apply to requests you issue via

NSURLSession

. Have you tried this already? If so, what did you see?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Do you mean kerberos SSO is supported automatically by iOS without any code change in my app?

From this document(https://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-7/), to config SSO, I need to create a configration profile includes the user principal name (that is, the Active Directory user account) and Kerberos realm settings, as well as configuring our app and/or Safari web URLs should be allowed to use SSO. And then install the config file into the device, after that, our app should support kerbers SSO, right?

Do you mean kerberos SSO is supported automatically by iOS without any code change in my app?

Yes.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I created two kerberos sites in IIS and add them into below profile to verify kerberos sso. My finding is after I open site#1 in safari and sign in site by input username and password, when I open site#2 in safari, my expect is it should sign in automatically without pop up password dialog, but actually, let user input password dialog is shown again. Is my test method wrong? How can I verify kerberos SSO?

<!-- Customize any area that contains curly brackets {} -->

<!-- Random GUIDs can be generated here http://www.guidgenerator.com/ -->

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple/DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>PayloadContent</key>

<array>

<dict>

<key>PayloadDisplayName</key>

<string>SSO Settings</string>

<key>PayloadType</key>

<string>com.apple.sso</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>PayloadUUID</key>

<string>01278adf-9f52-4ec3-8ef5-ca8050bae986</string>

<key>PayloadIdentifier</key>

<string>com.company.sso</string>

<key>Name</key>

<string>company Domain</string>

<key>Kerberos</key>

<dict>

<key>Realm</key>

<string>COMPANY.COM</string>

<key>URLPrefixMatches</key>

<array>

<string>http://site1</string>

<string>http://site2/</string>

</array>

<key>AppIdentifierMatches</key>

<array>

<string>com.apple.mobilesafari</string>

</array>

</dict>

</dict>

</array>

<key>PayloadOrganization</key>

<string>company</string>

<key>PayloadDisplayName</key>

<string>Single Sign-On Profile</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>PayloadUUID</key>

<string>b1b13d65-06de-4550-bdb4-26763ca6d185</string>

<key>PayloadIdentifier</key>

<string>com.company.sso.profile</string>

<key>PayloadDescription</key>

<string>Enables Kerberos Authentication</string>

<key>PayloadType</key>

<string>Configuration</string>

</dict>

</plist>

I’m sorry but I can’t help you with Kerberos configuration issues. My experience with Kerberos is very limited, and it’s exclusively focused on the APIs involved. When dealing with high-level APIs —

WKWebView

,

NSURLSession

, and indeed

Safari

— there are no Kerberos-specific APIs you can call. If things are configured correctly, it should Just Work™, and if it doesn’t then either things are not configured correctly or you’ve hit a limitation of the system. Either way, this is something that you’ll have to talk to Apple Support about.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

how can I connect Apple support team?

The regular Kerberos prerequisites still apply to the site. There has to be a SPN registered for the site that matches the full hostname entered in the browser. Also, the Kerberos SSO profile must use the same names to be used. e.g. For site1.domain.com, there must be a SPN for HTTP/site1.domain.com and the profile should list either site1.domain.com or .domain.com for the hosts entry.