Hi,
We are using the MSAL library to authenticate users, with SSO authentication implemented through the Microsoft Authenticator app.
The problem is that once or twice a day, a prompt for forced authentication appears, indicating that silent token acquisition is failing and resulting in a requirement for forced authentication. Below are some of the logs:
=================================================
2025-08-28 11:00:05.034 [Info] [AppDelegate.swift:121] application(:didFinishLaunchingWithOptions:) > MSAL message: TID=751353 MSAL 1.8.1 iOS 18.5 [2025-08-28 10:00:05 - EC9D1457-2D70-4878-926F-553391EBC9D3] [MSAL] Silent flow finished. Result (null), error: -51115 error domain: MSIDErrorDomain
2025-08-28 11:00:05.034 [Info] [AppDelegate.swift:121] application(:didFinishLaunchingWithOptions:) > MSAL message: TID=751353 MSAL 1.8.1 iOS 18.5 [2025-08-28 10:00:05 - EC9D1457-2D70-4878-926F-553391EBC9D3] [MSAL] acquireTokenSilent returning with error: (MSALErrorDomain, -50002) Masked(not-null)
====================================================
We initially raised this issue with Microsoft, but according to them:
In the app's logs, the single one failure it contains, was when the SSO extension returned the error com.apple.AuthenticationServices.AuthorizationError, -6000 during a silent call. This error code is generated by the system framework (Apple), not by our code. It indicates that the framework encountered an unexpected internal issue before or after calling the SSO extension.
MSAL returning interaction_required to the client app is the most effective way to recover from this error (as you mention, after the user selects the account the app continues working as expected).
Additionally, as you also mention, the interactive call is made by switching to Authenticator (not displaying a "window" without leaving Eva Lite app), which means MSAL is not able to use the SSO extension and is using the fallback to legacy authentication.
The recommended next step is for the customer to request support directly from Apple as this is an issue on their side. Additionally, the customer can also try to update to the latest iOS, in case Apple has already fixed this issue.
=============================================
STEPS TO REPRODUCE
There is no such steps its just that this is an enterprise application which is getting used on managed devices[iPhone 14]. The device are managed using some intune policy.
Platform and Version:
iOS
Development Environment: Xcode 15, macOS 13.6.1
Run-time Configuration: iOS 18
Please let me know if there are any solutions to resolve this problem. Thank you.
SSOExtensions
RSS for tagEnable single sign-on for apps and websites for your business or school.
Posts under SSO Extensions tag
11 Posts
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
Dear Team,
We are working on retrieving email address of the user joined to Entra ID from Entra-joined macOS devices, specifically while running in a system context.The sudo dscl . -read /Users/$(whoami) RecordName command give the local user name whose password is synced with the entra ID. We would greatly appreciate guidance on how to retrieve the Entra ID joined user’s email address in a system context from Entra Joined mac devices, especially from those with prior experience in this area.
Thank you for your support.
I tried with VSUserAccountManager.shared.requestAutoSignInAuthorization(). It did prompt a popup but with errors.
I do have 'com.apple.smoot.subscriptionservice' configured in the entitlement. I don't know what's happened? Could you help me out.
Hello everyone,
I'm currently in the process of implementing platform SSO (Single Sign-On) in macOS and could use some guidance. I find myself a bit confused during the device registration phase, particularly because my Identity Provider (IdP) needs to support it. I'm wondering if Platform SSO will handle this automatically or if there are specific steps I need to take.
Additionally, I'm unsure whether I need to share the device signing and encryption key in my identity. Could someone please clarify this for me?
Finally, I would greatly appreciate it if someone could provide me with some sample code or starting pointers to help me get started on the right track. More into apart from OpenID, SAML protocol what else the Idp needs to change to support Platform SSO.
Thank you in advance for your assistance!
In https://developer.apple.com/forums/thread/128705?answerId=405119022#405119022, it is said that
But if it’s holding up connections that match the on demand rules, that’s the correct behaviour.
So if there was an on demand rule to connect for all domains (Connect rule without any matching criteria), all traffic would be held up while in the connecting state. The problem is that a customer can have SSO configured so that auth happens outside of the vpn app.
So sequence would be
Connect for all domains on demand rule triggers vpn connection
VPN, in order to connect, tries auth through a broker app.
VPN is in connecting state and blocks broker app traffic and so auth cannot complete and it cannot connect.
I tried adding an on demand rule for EvaluateConnection and never connect for the auth domains. However, that caused the vpn to never be triggered to connect.
Is it possible to support the scenario of an on demand rule to connect for all domains while having a vpn connection dependent on auth done in a separate app? Do you have any recommendations?
Hi, my iOS app using plugin.Firebase for google SSO. But the SSO show me a list of account which login previously, I can login with those account without inputting password. Anyway I can clean up the list or force to enter password? Thank you.
Hi,
We are developing an Enterprise SSO extension for use by our customers. It is working well for username/password. We would like to use external security tokens such as Yubikey, via NFC. This works well inside the container app.
However, it looks like NFC might not be available to the SSO extension? The container app is signed with an NFC entitlement, and has the relevant key in the plist for a prompt to show the user. We use a 3rd party package called Yubikit to communicate with the Yubikey in the container app... all good.
In the trial I did, I had the SSO appex configured as a Credential extension. I have a demo/sample host app that uses this service, that mirrors what our customer's apps will do.
Currently, due to limitations in the server we are connecting to, instead of relying on a 401 authentication challenge, I am "manually" activating the enterprise SSO credential appex using ASAuthorizationSingleSignOnProvider, then our customer's host app will use the token the SSO appex returns for authenticating its API calls. This is working perfectly for the username/password scenario.
However some of our customers are very security conscious and require hardware tokens.
When I drive the same code in the contained SSO Enterprise app extension, and attempt to activate the NFC reader the same way, it seems like it doesn't have access to NFC?
I attempted to add the entitlement to the appex as well but it wasn't even available on the list of entitlements!
This leads me to suspect that iOS doesn't allow the SSO appex process to have access to the NFC reader, and there's no way to do what I'm attempting?
Note: it is easy for us to move to using a Redirect extension instead if this is the answer, but it doesn't seem that it's likely to help?
What is the recommended approach here?
Regards,
Carl
I'm trying to create an "Extensible Enterprise SSO" extension as described in the Introducing Extensible Enterprise SSO tech talk.
My SSO extension works fine, but I want to be able to access the camera (via AVFoundation) from within the SSO extension.
According to this thread (which I can't seem to be able to reply to) - it should be possible to access the camera from within an SSO extension, however this doesn't work for me.
When I try to access the camera, I get the permission dialog, but after accepting, the camera preview is empty and no camera frames are produced.
I don't get any errors/warnings in the logs, but it immediately fires AVCaptureSession.wasInterruptedNotification notification with AVCaptureSessionInterruptionReasonKey = 1 which corresponds to videoDeviceNotAvailableInBackground.
However, the SSO extension view controller is clearly not in the background, so is this a bug - or are there special rules for requesting camera permission in an SSO extension? The same camera access works fine in the host app, just not inside the extension.
Interestingly, accessing the camera in a WKWebView using various webcam test pages, doesn't work either.
All of these tests have been on iPadOS 18.
Hi all.
So, I built the platform SSO extension on a demo server I created and everything ran smoothly. I get the tokens at the end of the process.
Now, I want to use the tokens when I trigger my SSO extension in my domain from Safari.
I trigger my domain, get into the beginAuthorization method, get the request.loginManager?.ssoTokens and then want to return them to Safari by calling the request.complete method.
But, no matter what complete method I call (complete(httpResponse: HTTPURLResponse, httpBody: Data?) or complete(httpAuthorizationHeaders: [String : String]) where I insert the Bearer token into the Authorization header, it will not drill down to Safari or my server. The headers I try to send back are not moving from the extension to Safari.
Some knows why its happening?
Thank you for any help or suggestion.
Topic:
Privacy & Security
SubTopic:
General
Tags:
Safari
SSO Extensions
Platform SSO
Authentication Services
Hi,
I'm currently in the middle of debugging between my macOS and server for implementing Platform SSO.
As part of the debug process, I sometimes want to restart the whole process, which means to get into the beginDeviceRegisteration method again.
I noticed that even if I push the Repair button in the user (under settings) it will go again and again into the beginUserRegistration, but it will not go again to the device registration.
Is there an option to reset the Platform SSO device registration? (already tried Repair, remove MDM profile of the PSSO etc.)
Hey guys, I have recently started with developing an extension to support PSSO, I am at a very initial stage and trying out device registration. I am trying to fetch the registration token in my MDM profile but when running in debug mode I don't see the token , and also when I see the console log I see errors like
error 14:44:00.465847+0530 AppSSODaemon Error Domain=com.apple.PlatformSSO Code=-1004 "no device configuration data to load" UserInfo={NSLocalizedDescription=no device configuration data to load}
error 14:44:00.466434+0530 AppSSOAgent Error Domain=com.apple.PlatformSSO Code=-1004 "no device configuration" UserInfo={NSLocalizedDescription=no device configuration}, user
default 14:44:00.466145+0530 AppSSODaemon -[PODaemonProcess deviceConfigurationForIdentifer:completion:] identifer = 96DBA2E4-6DB8-4937-85A8-69F7632B8717 on <private>
error 14:44:00.466773+0530 SSO extension Error Domain=com.apple.PlatformSSO Code=-1001 "failed to retrieve SecKeyProxyEndpoint for key" UserInfo={NSLocalizedDescription=failed to retrieve SecKeyProxyEndpoint for key, NSUnderlyingError=0x14b608820 {Error Domain=com.apple.PlatformSSO Code=-1001 "Failed to receive key proxy endpoint." UserInfo={NSLocalizedDescription=Failed to receive key proxy endpoint.}}}
I think due to some reason the PSSO process is not able to get the token from my configuration.
And this is how my configuration profile looks like
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>ExtensionIdentifier</key>
<string>com.test.PSSO.SSO-extension</string>
<key>PayloadDisplayName</key>
<string>ingle Sign-On Extensions</string>
<key>PayloadIdentifier</key>
<string>com.apple.extensiblesso.96DBA2E4-6DB8-4937-85A8-69F7632B8717</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>CDC67F3E-0687-4796-95B0-A61EF6F3F9A7</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>TeamIdentifier</key>
<string>my_team_identifier</string>
<key>Type</key>
<string>Redirect</string>
<key>RegistrationToken</key>
<string>dummy_token_123</string>
<key>PlatformSSO</key>
<dict>
<key>AuthenticationMethod</key>
<string>Password</string>
<key>EnableAuthorization</key>
<true/>
<key>EnableCreateUserAtLogin</key>
<true/>
<key>NewUserAuthorizationMode</key>
<string>Standard</string>
<key>UseSharedDeviceKeys</key>
<true/>
<key>UserAuthorizationMode</key>
<string>Standard</string>
</dict>
<key>URLs</key>
<array>
<string>my_url</string>
</array>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>SSOE</string>
<key>PayloadIdentifier</key>
<string>com.test.psso.configuration</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>0DC6670F-F853-49CB-91B3-1C5ECB5D3F46</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>