Hello everyone, I'm currently in the process of implementing platform SSO (Single Sign-On) in macOS and could use some guidance. I find myself a bit confused during the device registration phase, particularly because my Identity Provider (IdP) needs to support it. I'm wondering if Platform SSO will handle this automatically or if there are specific steps I need to take. Additionally, I'm unsure whether I need to share the device signing and encryption key in my identity. Could someone please clarify this for me? Finally, I would greatly appreciate it if someone could provide me with some sample code or starting pointers to help me get started on the right track. More into apart from OpenID, SAML protocol what else the Idp needs to change to support Platform SSO. Thank you in advance for your assistance!

Our app is currently employing an SSO extension. Our implementation of beginAuthorization(with request: ASAuthorizationProviderExtensionAuthorizationRequest) seems to be working correctly, as we are able to process the request and complete the SSO. Unfortunately we seem to be running into trouble getting an associated UI to display for our users. Our info.plist file for the extension has the value NSExtensionPrincipalClass:$(PRODUCT_MODULE_NAME).AuthenticationViewController and we have an accompanying storyboard file named AuthenticationViewController.xib where the file's owner is set to our custom view controller. We have added a window and some views to this storyboard file and linked them to our view controller which is also named AuthenticationViewController The window will appear when the extension is activated. However, this window will appear behind the safari window we have open, and we cannot seem to bring it to the front of the other views. Traditional methods do not seem to work since the extension cannot access a sharedApplication object. We have tried other methods, including using NSRunningApplication.runningApplications to locate the extension via bundle identifier and activate it, but activation still does not bring it to the front of all open windows. We also tried using presentAuthorizationViewController(completion: @escaping (Bool, Error?) -> Void) to no avail. We got true for our result in the completion closure, but we couldn't get the UI to display at all in that case. We fear that we may be misguided in our approach, and have not configured our storyboard correctly to achieve the desired result. We have been able to find no example of this for macOS so any help would be greatly appreciated!

Hello! We are relaunching our app on an aggressive timeline and we really need these entitlements enabled on the backend. I have the ticket created already and I keep reaching out but I have not heard back yet. Does anyone know how we can expedite this request or someone I could reach out to? Thanks!

Hi, we are using the EXTSINGLESIGNONKERBEROS from Ivanti (MobileIron) MDM server in order to get the Kerberos authentication against our SharePoint and OneDrive system running. This worked perfectly fine with the iOS system while we are retrieving the password popup from the iOS SSO Extension. For all the calls we made against our server the system just used the Kerberos ticket for the connection. Now we faced an issue with the WKWebView. We are opening images in the WKWebView but this happens completely without any connection inside the WKWebView. We loading the data of the image upfront and open the WKWebView with a local path from the iPhone / iPad. Somehow after the WKWebView loaded the content our connection does not use our Kerberos ticket anymore. All our calls fail with 401 (because we are not adding any user information to our request - the system Extension is doing it automatically). Just after a restart of the app the Kerberos ticket is added to our request again. Does anyone know why this happens? I already tried to write the cookies from the NSHttpCookieStorage SharedStorage to the WKWebView cookies but no success. If we use WKWebView but not loading any content Kerberos is still working after closing the page. It only happens once LoadUrl, LoadData, etc processed. Any additional help or idea would be appreciated. Thank you.