SSOExtensions

RSS for tag

Enable single sign-on for apps and websites for your business or school.

Posts under SSO Extensions tag

12 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

SSO extension and NFC tag
Hi, We are developing an Enterprise SSO extension for use by our customers. It is working well for username/password. We would like to use external security tokens such as Yubikey, via NFC. This works well inside the container app. However, it looks like NFC might not be available to the SSO extension? The container app is signed with an NFC entitlement, and has the relevant key in the plist for a prompt to show the user. We use a 3rd party package called Yubikit to communicate with the Yubikey in the container app... all good. In the trial I did, I had the SSO appex configured as a Credential extension. I have a demo/sample host app that uses this service, that mirrors what our customer's apps will do. Currently, due to limitations in the server we are connecting to, instead of relying on a 401 authentication challenge, I am "manually" activating the enterprise SSO credential appex using ASAuthorizationSingleSignOnProvider, then our customer's host app will use the token the SSO appex returns for authenticating its API calls. This is working perfectly for the username/password scenario. However some of our customers are very security conscious and require hardware tokens. When I drive the same code in the contained SSO Enterprise app extension, and attempt to activate the NFC reader the same way, it seems like it doesn't have access to NFC? I attempted to add the entitlement to the appex as well but it wasn't even available on the list of entitlements! This leads me to suspect that iOS doesn't allow the SSO appex process to have access to the NFC reader, and there's no way to do what I'm attempting? Note: it is easy for us to move to using a Redirect extension instead if this is the answer, but it doesn't seem that it's likely to help? What is the recommended approach here? Regards, Carl
1
0
166
3w
Accessing camera from SSO extension
I'm trying to create an "Extensible Enterprise SSO" extension as described in the Introducing Extensible Enterprise SSO tech talk. My SSO extension works fine, but I want to be able to access the camera (via AVFoundation) from within the SSO extension. According to this thread (which I can't seem to be able to reply to) - it should be possible to access the camera from within an SSO extension, however this doesn't work for me. When I try to access the camera, I get the permission dialog, but after accepting, the camera preview is empty and no camera frames are produced. I don't get any errors/warnings in the logs, but it immediately fires AVCaptureSession.wasInterruptedNotification notification with AVCaptureSessionInterruptionReasonKey = 1 which corresponds to videoDeviceNotAvailableInBackground. However, the SSO extension view controller is clearly not in the background, so is this a bug - or are there special rules for requesting camera permission in an SSO extension? The same camera access works fine in the host app, just not inside the extension. Interestingly, accessing the camera in a WKWebView using various webcam test pages, doesn't work either. All of these tests have been on iPadOS 18.
0
1
281
Nov ’24
SSO extension with Platform SSO token issues
Hi all. So, I built the platform SSO extension on a demo server I created and everything ran smoothly. I get the tokens at the end of the process. Now, I want to use the tokens when I trigger my SSO extension in my domain from Safari. I trigger my domain, get into the beginAuthorization method, get the request.loginManager?.ssoTokens and then want to return them to Safari by calling the request.complete method. But, no matter what complete method I call (complete(httpResponse: HTTPURLResponse, httpBody: Data?) or complete(httpAuthorizationHeaders: [String : String]) where I insert the Bearer token into the Authorization header, it will not drill down to Safari or my server. The headers I try to send back are not moving from the extension to Safari. Some knows why its happening? Thank you for any help or suggestion.
0
3
327
Oct ’24
Re-register device in Platform SSO
Hi, I'm currently in the middle of debugging between my macOS and server for implementing Platform SSO. As part of the debug process, I sometimes want to restart the whole process, which means to get into the beginDeviceRegisteration method again. I noticed that even if I push the Repair button in the user (under settings) it will go again and again into the beginUserRegistration, but it will not go again to the device registration. Is there an option to reset the Platform SSO device registration? (already tried Repair, remove MDM profile of the PSSO etc.)
1
0
514
Oct ’24
Apple SSO Invalid Client Error
I am successfully generating apple_sso_session_url by using apple clientId, which is opening apple login window and asking for email and password and after that it is calling my redirectSuccessUrl and passing code to redirectSuccessUrl. I am successfully using that code and other params of apple like keyId, key(p8 file path) and team id by using those params I am able to successfully generate apple client secret export const generateClientSecret = (): string => { const privateKey = fs.readFileSync(process.env.APPLE_PRIVATE_KEY_PATH as string, 'utf8'); const claims = { iss: process.env.APPLE_TEAM_ID, iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 15777000, // 6 months aud: 'appstoreconnect-v1', sub: process.env.APPLE_CLIENT_ID, }; return jwt.sign(claims, privateKey, { algorithm: 'ES256', keyid: process.env.APPLE_KEY_ID, }); }; after that using same clientId, redirectUrl and apple_client_secret when i am calling apple api for getting token we are getting error invalid_client. const clientSecret = generateClientSecret(); const response = await axios.post('https://appleid.apple.com/auth/token', null, { params: { client_id: process.env.APPLE_CLIENT_ID, client_secret: clientSecret, code: body.code, grant_type: 'authorization_code', redirect_uri: process.env.APPLE_SSO_REDIRECT_URL, }, headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, });
0
0
220
Sep ’24
Platform single sign-on - demo app help
Hi, im trying to make a Platform single sign-on app for my Idp, and I have tried online to try and find some code/ a demo app for this I cannot find anything for the Mac OS Side, there is someone who's created the server, but no info for that on what the Mac extension should do. I have tired implementing the 2 function to required, but to no luck. After reading what I think is all of the document I'm still really confused as to how this is all supposed to work. I have got to the stage where it create the popup that says you need to authenticated with your idp but cannot work out the bugs for the rest of it. manly im getting an issue in the console that says no login config for (username) and im not sure what im doing wrong.
2
0
386
Sep ’24
macOS PSSO extension development
Hey guys, I have recently started with developing an extension to support PSSO, I am at a very initial stage and trying out device registration. I am trying to fetch the registration token in my MDM profile but when running in debug mode I don't see the token , and also when I see the console log I see errors like error 14:44:00.465847+0530 AppSSODaemon Error Domain=com.apple.PlatformSSO Code=-1004 "no device configuration data to load" UserInfo={NSLocalizedDescription=no device configuration data to load} error 14:44:00.466434+0530 AppSSOAgent Error Domain=com.apple.PlatformSSO Code=-1004 "no device configuration" UserInfo={NSLocalizedDescription=no device configuration}, user default 14:44:00.466145+0530 AppSSODaemon -[PODaemonProcess deviceConfigurationForIdentifer:completion:] identifer = 96DBA2E4-6DB8-4937-85A8-69F7632B8717 on <private> error 14:44:00.466773+0530 SSO extension Error Domain=com.apple.PlatformSSO Code=-1001 "failed to retrieve SecKeyProxyEndpoint for key" UserInfo={NSLocalizedDescription=failed to retrieve SecKeyProxyEndpoint for key, NSUnderlyingError=0x14b608820 {Error Domain=com.apple.PlatformSSO Code=-1001 "Failed to receive key proxy endpoint." UserInfo={NSLocalizedDescription=Failed to receive key proxy endpoint.}}} I think due to some reason the PSSO process is not able to get the token from my configuration. And this is how my configuration profile looks like <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>ExtensionIdentifier</key> <string>com.test.PSSO.SSO-extension</string> <key>PayloadDisplayName</key> <string>ingle Sign-On Extensions</string> <key>PayloadIdentifier</key> <string>com.apple.extensiblesso.96DBA2E4-6DB8-4937-85A8-69F7632B8717</string> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>PayloadUUID</key> <string>CDC67F3E-0687-4796-95B0-A61EF6F3F9A7</string> <key>PayloadVersion</key> <integer>1</integer> <key>TeamIdentifier</key> <string>my_team_identifier</string> <key>Type</key> <string>Redirect</string> <key>RegistrationToken</key> <string>dummy_token_123</string> <key>PlatformSSO</key> <dict> <key>AuthenticationMethod</key> <string>Password</string> <key>EnableAuthorization</key> <true/> <key>EnableCreateUserAtLogin</key> <true/> <key>NewUserAuthorizationMode</key> <string>Standard</string> <key>UseSharedDeviceKeys</key> <true/> <key>UserAuthorizationMode</key> <string>Standard</string> </dict> <key>URLs</key> <array> <string>my_url</string> </array> </dict> </array> <key>PayloadDisplayName</key> <string>SSOE</string> <key>PayloadIdentifier</key> <string>com.test.psso.configuration</string> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>0DC6670F-F853-49CB-91B3-1C5ECB5D3F46</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
1
1
533
Oct ’24
Single Sign-on Extensions, Safari, SafariViewService and Gating Access to Managed Apps
While it's clear that SSO Extensions can be limited to managed applications, it's not necessarily clear how to handle the scenario where a managed application is generating a SafariViewService web view to handle authentication of an account within that managed application. The SSO Extension sees SafariViewService as an unmanaged destination in User Enrolled devices, which means we can't warrant that it's coming from a managed app in the work APFS container. Is it possible to, in User Enrolled MDM Scenarios, understand where a Safari process came from (i.e., a Managed App) or a SafariViewService process came from, for the purposes of ascribing management status to the authorization request?
0
0
494
Jun ’24
Platform SSO: Is it possible to call presentRegistrationViewController(completion:) in beginUserRegistration?
In our implementation of Platform SSO, we would like to show custom UI in both the beginDeviceRegistration call as well as the beginUserRegistration call. It works fine in the beginDeviceRegistration call when we use presentRegistrationViewController. When we try to apply the same logic in beginUserRegistration, the ViewController's view.window object is nil and thus using it to house our custom UI doesn't work. I'm not sure if this is an implementation flaw on our part or if presentRegistrationViewController is only intended to be used in beginDeviceRegistration. The call is only mentioned in the context of registering devices, which makes us wonder if it is limited to that. Any help would be appreciated!
2
0
631
May ’24
Seeking Guidance for Implementing Platform SSO
Hello everyone, I'm currently in the process of implementing platform SSO (Single Sign-On) in macOS and could use some guidance. I find myself a bit confused during the device registration phase, particularly because my Identity Provider (IdP) needs to support it. I'm wondering if Platform SSO will handle this automatically or if there are specific steps I need to take. Additionally, I'm unsure whether I need to share the device signing and encryption key in my identity. Could someone please clarify this for me? Finally, I would greatly appreciate it if someone could provide me with some sample code or starting pointers to help me get started on the right track. More into apart from OpenID, SAML protocol what else the Idp needs to change to support Platform SSO. Thank you in advance for your assistance!
1
0
719
Feb ’24
Platform SSO saveLoginConfiguration error
Hi all. I'm trying to implement a Platform SSO extension for macOS and I'm freaking out. It's so complicated and with almost zero guidance documentation. I established a starting point in my SSO extension and I get the registration request to my beginDeviceRegistrationUsingLoginManager (I managed all the AASA file, MDM stuff). In this method I'm creating a ASAuthorizationProviderExtensionLoginConfiguration and I try to save it into the loginManager (ASAuthorizationProviderExtensionLoginManager which I get from the method) using saveLoginConfiguration. It worked fine, and without changing anything I started getting the next error: failed to save loginConfiguration: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1000 "(null)" UserInfo={NSUnderlyingError=0x7ff77ff63b30 {Error Domain=com.apple.PlatformSSO Code=-1008 "Token endpoint URL is not approved profile URL." UserInfo={NSLocalizedDescription=Token endpoint URL is not approved profile URL.}}} This is my configuration: ASAuthorizationProviderExtensionLoginConfiguration *loginConfiguration = [[ASAuthorizationProviderExtensionLoginConfiguration alloc] initWithClientID:@"***" issuer:@"https://auth.platformsso.ping-eng.com/as" tokenEndpointURL:[NSURL URLWithString:@"https://auth.platformsso.ping-eng.com/as/token"] jwksEndpointURL:[NSURL URLWithString:@"https://auth.platformsso.ping-eng.com/as/jwks"] audience:@"***"]; And this is where it breaks: BOOL saveConf = [self.loginManager saveLoginConfiguration:loginConfiguration error:&confError]; Can someone help me with this error please?
2
0
1.1k
Jan ’24