Hi, I am trying to handle an event ->  when one app invoking SSO extension showing auth UI prompt is killed or force quit, perform certain operation in another app. Tried below steps : UseNSRunningApplication to identify the process id of SSO extension that shows the UI and store it in NSUserDefaults In the second app, check if the runningApp instance with the pid stored in NSUserDefaults isTerminated.  During testing it seems to be working. But would like to confirm Is this a reliable/acceptable approach -> An app extension of the Single Sign On type trying to use NSRunningApplication API to query another extension's activity state in a sandboxed process. Is there another better way of handling this scenario? Thanks in advance

I need to perform SSO login using WkWebView and I am not using SFSafariViewController because the URL which I use is a normal web URL and I need to stop loading of next page as soon as I get a ID value in the URL as Query parameter. Now, When I use WKWebView I am unable to logout the previous session saved in WKWebView itself until I manually clear the cache of it. is there any way I can sync Safari and WkWebView sessions, So, if I login in WkWebView I can logout the same from Safari. I have tried using ASWebAuthenticateSession but as I said I need to stop the next page reload. HELP!!!

We have a Hybrid iOS Application build on Cordova Plugin, and it worked with Old Kerberos SSO -credential based authentication. Recently, we have updated the New Kerberos based SSO by following the presentation ( https://developer.apple.com/videos/play/tech-talks/301/ ) . After which the hybrid app is not prompting for the HTTP response challenge, but it should support for the New Kerberos SSO – credential-based authentication. We could see the response header has the below attribute for SSO handshake challenge.   Www-Authenticate: Negotiate, Basic realm="IBM Security Access Manager for Web" But the auth prompt screen is not appearing, and connection is throwing with 401-unauthenticated response. Note : We can see this below prompt for Old Kerb -SSO but it’s not showing up after New Kerberos SSO. System Specification: XCode – 13 Cordova 6.2.0 iPad -15.0 Please let us know if any solution would solve this. Thanks

Hi, Our Application uses "Extensible SSO extension" due to which end-user is not able to delete the app The only workaround is: Kill below process: /System/Library/PrivateFrameworks/AppSSO.framework/Support/AppSSOAgent. And then delete app. Did anyone face same issue? Is this known issue? Any recommendations from Apple?

Hi I've built an SSO extension for my app. Now I would like to update the authsrv:login.myhost.com with additional associated domains generated by the MDM. The video here at 9:10 mark references the MDM associated domain ApplicationAttributes for iOS as the way to go. https://developer.apple.com/videos/play/tech-talks/301/ Is it just a matter of including: com.apple.developer.associated-domains.mdm-managed=YES in the entitlement file for both the app and the extension and having the MDM push down something like this in the profile? <dict> <key>AssociatedDomains</key> <array> <string>authsrv:login.myhost2.com</string> </array> </dict> Appreciate any guidance.

Hello, we are trying to implement the Kerberos SSO extension for iOS App. Corresponding MDM Profile is registered in Blackberry UEM und pushed to iPad. Wenn we navigate to certain URL (for example with Safari),   public func beginAuthorization(with request: ASAuthorizationProviderExtensionAuthorizationRequest) method in our extension is being invoked. As far as we understand, we have to fill the appropriate authorization headers, but we do not know exactly what is being expected. We assume that we have to build headers with the help of GSS Framework, but we are not sure about this The documentation does not help us enough. Could you please give us a sample code for handling of beginAuthorization(...) that can be used in the SSO extension. Thank you in advance for help. Best Regards, Alexander Smoljar

Hi, In a managed environment, will apps/enterprise SSO extensions have access to digital identities installed at a system-wide level? I did try with ASWebAuthentication/Safari, both of them can pick the certificate but the SSO extension with URLSession cannot. Is there a challenge that needs to be handled? I did try with redirect extension. Also, a native app that is only deployed in the managed environment can have access to the digital identity that is installed at the system level? What are my options to do a certificate authentication? Thanks

Hi all We have recently had an issue with using a single sign on login concept in a submission which was flagged under Guideline 5.1.1 - Legal - Privacy - Data Collection and Storage and we are wondering what the development best practices were in this circumstance. The reason being was because if the user did not already have an account, we provided a button which then loaded the 3rd parties registration form in a web frame. However the system we are using requires the users address and phone number for various reasons, although our app does not use that data at all - therefore we were told we are breaking the guidelines. Our app is not collecting, or storing any of this information (or even has visibility to it), and it is all covered in both ours, and the third parties privacy policies, however it seems that we are still violating the clause. My question to other developers and Apple support - is how is this dealt with in other apps that use larger SSO systems such as iCloud, Google and Facebook? If you use one of those for login, they require various fields, and personal data, which is then may not be used within apps themselves, however they seem not to violate the same policy, or at least may not have been flagged to do so. Our system is in context of holiday park bookings and this is an outline of the two processes that may happen: User already has account User books holiday on holiday parks booking system (The SSO Controller) This process includes the registration process so user will have email and password Before, or during the users holiday they download our app, and use this same username and password to add their booking information to our app User does not already have an account User books holiday in person, or over the phone They do not have a web account - but want to still download and use our app If they wish to login with their booking they need to then create an account on the booking system (SSO) - which for CRM and payment reasons, requires the users address and phone numbers Our app provides a button to load the registration in a web frame, and once the user is registered can then login to the app This second circumstance is the issue we are having, and for now have had to remove this to comply. Only people who originally booked their holiday online now being able to login with their booking. There are potentially other avenues we can explore with the booking system, but before we roadmap more development time for these, I was hoping the community, or Apple themselves could point us towards best practices, or documentation for this, and how others have dealt with it

We have an app (under development) which needs another app to login. Let's say App 1 already installed parent app on user device and we are developing App 2 which is dependent on App 1 for SSO login using oAuth. So my question is, If we submit app 2 for approval, how the review team will test it? will it be rejected ? what is the standard procedure in such cases?. Can we share the credentials of App 1 and Review team install App 1 and try ?

I finding some for ways for turn off dialog popup when using ASAuthenticationSession. I also set prefersEphemeralWebBrowserSession = true for not display dialog confirm but it also turn off shared cookies between apps. So does Apple support anyway for still shared cookies and doesn't show any dialog confirm. Thank you very much.

I have a problem is we have some clients. And each client have difference Apple Development Id. But we want to share data between apps like Keychain Sharing or App Group but it require same Apple Development Id. So have any other ways for apps can share data with difference Apple Id?

I have an App with bundleId in Xcode as "com.companyname.abc.123" when using ASAuthorizationProviderExtensionAuthorizationRequest with Enterprise Sso plugin feature, the callerBundleIdentifier shows a different (com.companyname.abc without 123 in the end) which failed our validation. Do we know where the callerBundleIdentifier comes from? I noticed something called audittoken as well from console logs, but no idea how it is generated.