I'm trying to create an "Extensible Enterprise SSO" extension as described in the Introducing Extensible Enterprise SSO tech talk. My SSO extension works fine, but I want to be able to access the camera (via AVFoundation) from within the SSO extension. According to this thread (which I can't seem to be able to reply to) - it should be possible to access the camera from within an SSO extension, however this doesn't work for me. When I try to access the camera, I get the permission dialog, but after accepting, the camera preview is empty and no camera frames are produced. I don't get any errors/warnings in the logs, but it immediately fires AVCaptureSession.wasInterruptedNotification notification with AVCaptureSessionInterruptionReasonKey = 1 which corresponds to videoDeviceNotAvailableInBackground. However, the SSO extension view controller is clearly not in the background, so is this a bug - or are there special rules for requesting camera permission in an SSO extension? The same camera access works fine in the host app, just not inside the extension. Interestingly, accessing the camera in a WKWebView using various webcam test pages, doesn't work either. All of these tests have been on iPadOS 18.

Hi all. So, I built the platform SSO extension on a demo server I created and everything ran smoothly. I get the tokens at the end of the process. Now, I want to use the tokens when I trigger my SSO extension in my domain from Safari. I trigger my domain, get into the beginAuthorization method, get the request.loginManager?.ssoTokens and then want to return them to Safari by calling the request.complete method. But, no matter what complete method I call (complete(httpResponse: HTTPURLResponse, httpBody: Data?) or complete(httpAuthorizationHeaders: [String : String]) where I insert the Bearer token into the Authorization header, it will not drill down to Safari or my server. The headers I try to send back are not moving from the extension to Safari. Some knows why its happening? Thank you for any help or suggestion.

Hi, I'm currently in the middle of debugging between my macOS and server for implementing Platform SSO. As part of the debug process, I sometimes want to restart the whole process, which means to get into the beginDeviceRegisteration method again. I noticed that even if I push the Repair button in the user (under settings) it will go again and again into the beginUserRegistration, but it will not go again to the device registration. Is there an option to reset the Platform SSO device registration? (already tried Repair, remove MDM profile of the PSSO etc.)

Hey guys, I have recently started with developing an extension to support PSSO, I am at a very initial stage and trying out device registration. I am trying to fetch the registration token in my MDM profile but when running in debug mode I don't see the token , and also when I see the console log I see errors like error 14:44:00.465847+0530 AppSSODaemon Error Domain=com.apple.PlatformSSO Code=-1004 "no device configuration data to load" UserInfo={NSLocalizedDescription=no device configuration data to load} error 14:44:00.466434+0530 AppSSOAgent Error Domain=com.apple.PlatformSSO Code=-1004 "no device configuration" UserInfo={NSLocalizedDescription=no device configuration}, user default 14:44:00.466145+0530 AppSSODaemon -[PODaemonProcess deviceConfigurationForIdentifer:completion:] identifer = 96DBA2E4-6DB8-4937-85A8-69F7632B8717 on <private> error 14:44:00.466773+0530 SSO extension Error Domain=com.apple.PlatformSSO Code=-1001 "failed to retrieve SecKeyProxyEndpoint for key" UserInfo={NSLocalizedDescription=failed to retrieve SecKeyProxyEndpoint for key, NSUnderlyingError=0x14b608820 {Error Domain=com.apple.PlatformSSO Code=-1001 "Failed to receive key proxy endpoint." UserInfo={NSLocalizedDescription=Failed to receive key proxy endpoint.}}} I think due to some reason the PSSO process is not able to get the token from my configuration. And this is how my configuration profile looks like <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>ExtensionIdentifier</key> <string>com.test.PSSO.SSO-extension</string> <key>PayloadDisplayName</key> <string>ingle Sign-On Extensions</string> <key>PayloadIdentifier</key> <string>com.apple.extensiblesso.96DBA2E4-6DB8-4937-85A8-69F7632B8717</string> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>PayloadUUID</key> <string>CDC67F3E-0687-4796-95B0-A61EF6F3F9A7</string> <key>PayloadVersion</key> <integer>1</integer> <key>TeamIdentifier</key> <string>my_team_identifier</string> <key>Type</key> <string>Redirect</string> <key>RegistrationToken</key> <string>dummy_token_123</string> <key>PlatformSSO</key> <dict> <key>AuthenticationMethod</key> <string>Password</string> <key>EnableAuthorization</key> <true/> <key>EnableCreateUserAtLogin</key> <true/> <key>NewUserAuthorizationMode</key> <string>Standard</string> <key>UseSharedDeviceKeys</key> <true/> <key>UserAuthorizationMode</key> <string>Standard</string> </dict> <key>URLs</key> <array> <string>my_url</string> </array> </dict> </array> <key>PayloadDisplayName</key> <string>SSOE</string> <key>PayloadIdentifier</key> <string>com.test.psso.configuration</string> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>0DC6670F-F853-49CB-91B3-1C5ECB5D3F46</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

I am successfully generating apple_sso_session_url by using apple clientId, which is opening apple login window and asking for email and password and after that it is calling my redirectSuccessUrl and passing code to redirectSuccessUrl. I am successfully using that code and other params of apple like keyId, key(p8 file path) and team id by using those params I am able to successfully generate apple client secret export const generateClientSecret = (): string => { const privateKey = fs.readFileSync(process.env.APPLE_PRIVATE_KEY_PATH as string, 'utf8'); const claims = { iss: process.env.APPLE_TEAM_ID, iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 15777000, // 6 months aud: 'appstoreconnect-v1', sub: process.env.APPLE_CLIENT_ID, }; return jwt.sign(claims, privateKey, { algorithm: 'ES256', keyid: process.env.APPLE_KEY_ID, }); }; after that using same clientId, redirectUrl and apple_client_secret when i am calling apple api for getting token we are getting error invalid_client. const clientSecret = generateClientSecret(); const response = await axios.post('https://appleid.apple.com/auth/token', null, { params: { client_id: process.env.APPLE_CLIENT_ID, client_secret: clientSecret, code: body.code, grant_type: 'authorization_code', redirect_uri: process.env.APPLE_SSO_REDIRECT_URL, }, headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, });

Hi, im trying to make a Platform single sign-on app for my Idp, and I have tried online to try and find some code/ a demo app for this I cannot find anything for the Mac OS Side, there is someone who's created the server, but no info for that on what the Mac extension should do. I have tired implementing the 2 function to required, but to no luck. After reading what I think is all of the document I'm still really confused as to how this is all supposed to work. I have got to the stage where it create the popup that says you need to authenticated with your idp but cannot work out the bugs for the rest of it. manly im getting an issue in the console that says no login config for (username) and im not sure what im doing wrong.

In our implementation of Platform SSO, we would like to show custom UI in both the beginDeviceRegistration call as well as the beginUserRegistration call. It works fine in the beginDeviceRegistration call when we use presentRegistrationViewController. When we try to apply the same logic in beginUserRegistration, the ViewController's view.window object is nil and thus using it to house our custom UI doesn't work. I'm not sure if this is an implementation flaw on our part or if presentRegistrationViewController is only intended to be used in beginDeviceRegistration. The call is only mentioned in the context of registering devices, which makes us wonder if it is limited to that. Any help would be appreciated!

Hi all. I'm trying to implement a Platform SSO extension for macOS and I'm freaking out. It's so complicated and with almost zero guidance documentation. I established a starting point in my SSO extension and I get the registration request to my beginDeviceRegistrationUsingLoginManager (I managed all the AASA file, MDM stuff). In this method I'm creating a ASAuthorizationProviderExtensionLoginConfiguration and I try to save it into the loginManager (ASAuthorizationProviderExtensionLoginManager which I get from the method) using saveLoginConfiguration. It worked fine, and without changing anything I started getting the next error: failed to save loginConfiguration: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1000 "(null)" UserInfo={NSUnderlyingError=0x7ff77ff63b30 {Error Domain=com.apple.PlatformSSO Code=-1008 "Token endpoint URL is not approved profile URL." UserInfo={NSLocalizedDescription=Token endpoint URL is not approved profile URL.}}} This is my configuration: ASAuthorizationProviderExtensionLoginConfiguration *loginConfiguration = [[ASAuthorizationProviderExtensionLoginConfiguration alloc] initWithClientID:@"xxx" issuer:@"https://auth.platformsso.ping-eng.com/as" tokenEndpointURL:[NSURL URLWithString:@"https://auth.platformsso.ping-eng.com/as/token"] jwksEndpointURL:[NSURL URLWithString:@"https://auth.platformsso.ping-eng.com/as/jwks"] audience:@"xxx"]; And this is where it breaks: BOOL saveConf = [self.loginManager saveLoginConfiguration:loginConfiguration error:&confError]; Can someone help me with this error please?

Our app is currently employing an SSO extension. Our implementation of beginAuthorization(with request: ASAuthorizationProviderExtensionAuthorizationRequest) seems to be working correctly, as we are able to process the request and complete the SSO. Unfortunately we seem to be running into trouble getting an associated UI to display for our users. Our info.plist file for the extension has the value NSExtensionPrincipalClass:$(PRODUCT_MODULE_NAME).AuthenticationViewController and we have an accompanying storyboard file named AuthenticationViewController.xib where the file's owner is set to our custom view controller. We have added a window and some views to this storyboard file and linked them to our view controller which is also named AuthenticationViewController The window will appear when the extension is activated. However, this window will appear behind the safari window we have open, and we cannot seem to bring it to the front of the other views. Traditional methods do not seem to work since the extension cannot access a sharedApplication object. We have tried other methods, including using NSRunningApplication.runningApplications to locate the extension via bundle identifier and activate it, but activation still does not bring it to the front of all open windows. We also tried using presentAuthorizationViewController(completion: @escaping (Bool, Error?) -> Void) to no avail. We got true for our result in the completion closure, but we couldn't get the UI to display at all in that case. We fear that we may be misguided in our approach, and have not configured our storyboard correctly to achieve the desired result. We have been able to find no example of this for macOS so any help would be greatly appreciated!

Hello! We are relaunching our app on an aggressive timeline and we really need these entitlements enabled on the backend. I have the ticket created already and I keep reaching out but I have not heard back yet. Does anyone know how we can expedite this request or someone I could reach out to? Thanks!

Hi, we are using the EXTSINGLESIGNONKERBEROS from Ivanti (MobileIron) MDM server in order to get the Kerberos authentication against our SharePoint and OneDrive system running. This worked perfectly fine with the iOS system while we are retrieving the password popup from the iOS SSO Extension. For all the calls we made against our server the system just used the Kerberos ticket for the connection. Now we faced an issue with the WKWebView. We are opening images in the WKWebView but this happens completely without any connection inside the WKWebView. We loading the data of the image upfront and open the WKWebView with a local path from the iPhone / iPad. Somehow after the WKWebView loaded the content our connection does not use our Kerberos ticket anymore. All our calls fail with 401 (because we are not adding any user information to our request - the system Extension is doing it automatically). Just after a restart of the app the Kerberos ticket is added to our request again. Does anyone know why this happens? I already tried to write the cookies from the NSHttpCookieStorage SharedStorage to the WKWebView cookies but no success. If we use WKWebView but not loading any content Kerberos is still working after closing the page. It only happens once LoadUrl, LoadData, etc processed. Any additional help or idea would be appreciated. Thank you.

In developing OPENID / OAuth type web authentication for native apps, I am looking for confirmation that Apple iOS supports Save Password dialogue on the sign-in that occurs in the browser within the ASWebAuthenticationSession webview. Noting that both ASWebAuthentication Session and SFSafariViewController support isolated browser privacy with regards to the app, it should not (theoretically) necessitate domain trust between the App and the domain of the current AS/SF webview as it once did with wkWebViews. Can anyone confirm that Keychain's Save Password dialogue DOES fire on either/both ASWebAuthenticationSession and SFSafariViewController?

I have implemented Apple SSO using native script and it is working fine on desktop devices also on iPhone safari browser but not working on IOS < 16. Tested on few <16 version it is working fine can anyone guide what could be the issues. Thank you Script used : <script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>

Hi, I created an SSO extension that works fine. The extension triggers for my domain when I need to run an OIDC flow by the "authorize" path of my issuer. I finish the whole OIDC flow inside the extension and get the required parameters (access token, ID token, state, etc.), and build the "Location" header to return to the caller (in my case it triggers from Safari). I also attach the "Set-Cookie" with my cookies. For completion, I call the authorizationRequest?.complete(httpResponse: response, httpBody: nil) with a 302 code response I create which contains the cookies and the Location header. My problem is that the Safari gets the response with the redirect, removes the Extension, and a sec after the extension triggers again with the same "authorize" request. All this happens in a loop without stopping, unless I call authorizationRequest?.doNotHandle(). I checked the "Location" header to a similar one from a regular web flow that works fine (without the extension) and both are the same. Any help or idea will be blessed. Thank you!

Hi. I'm currently using WKWebView to load our application's SSO page through Microsoft and I'm need to access the device identity certificates for the NSURLAuthenticationMethodClientCertificate in order to bypass MFA via device trust. I've read it would be easier with SFSafariViewController, but that's not an option for me, as I need to set custom cookies prior to loading the page, a thing which I understand is not possible with SF. Is there any way to access these certificates through WKWebView? Or is there anything else I can use that would let me both set custom cookies and access device identity certificates?

Hi guys, I need help, we are trying to enable SSO with okta but we can't find any documentation related to how enable SSO with Okta from App store site, we got the link from Okta site but we can;t find the way how to give access to them to enable SSO

I am working on Integrating Single Sign-On with Enterprise Authentication. I need to provide service provider's metadata url. Can anyone please guide me on how to get that?

Hello, we are trying to implement the Kerberos SSO extension for iOS App. Corresponding MDM Profile is registered in Blackberry UEM und pushed to iPad. Wenn we navigate to certain URL (for example with Safari),   public func beginAuthorization(with request: ASAuthorizationProviderExtensionAuthorizationRequest) method in our extension is being invoked. As far as we understand, we have to fill the appropriate authorization headers, but we do not know exactly what is being expected. We assume that we have to build headers with the help of GSS Framework, but we are not sure about this The documentation does not help us enough. Could you please give us a sample code for handling of beginAuthorization(...) that can be used in the SSO extension. Thank you in advance for help. Best Regards, Alexander Smoljar

Dear All! We are facing issue with Apple SSO login for two months now. Our application was already reviewed and got the green light we just released additional versions later with some new feature requests. But since then despite the first green light they reject All our review attempts despite having multiple calls with them. Apple require Apple SSO if you you Google or Facebook login, so basically we are stuck because of them. We implemented Apple SSO Auth in our application and covered every possible use case for registering our user (proxy email, no display name, first registration, re-registration, every permutation) The reviewer does not clear its apple ID after the first initial registration and of course our application because of Apple ID changes we won't receive anything from the given user (nor Display Name, or Proxy/real email) only on the first time they use Apple ID. So if this is the second time they attempt to registrate to our application if they are not explicitly sharing their data with apps they will get an error thus they reject our solution. In reality this usecase shall never ever occur with real users because on their first initial registration with apple ID we would receive their data, and if they delete the app they don't want to use it would not occur any reregistration with the same apple ID anyways. Our app because of the business case need the email address from the user to use the provided service without issues. See the image below, we do not receive any identifier from users in this particular case if they not resetting their apple id for an app, thus we can't login them into our systems. We wrote email to them, requested calls, we tried different libraries and changes to please them none of them works...they just reject us evverytime. Their text: (Funny thing also this is a mobile App, no Tablet version should be tested) Guideline 2.1 - Performance - App Completeness We discovered one or more bugs in your app. Specifically, we still got an error while trying to log in using Sign in with Apple. Please review the details below and complete the next steps. This is one of the worst developer experience i had in my 12+ career, so much frustration, burning money, angry client - they can't kickstart their 2 years worth of work all because of policies and guidelines that does not make sense, or reviewers who do not know how to do their job. Pls help.

Hi all, I am trying to add SSO with apple on my website. API configuration seems to be good. I am abble to connect to mty apple account but after that, i am redirected to my redirect_uri which is in error 307 ! Any ideas ? Best regards