How does an SSO Extension access a SCEP certificate from its associated profile so that it can make a client SSL connection? We are creating a Credential SSO extension where the extension must make a client-auth SSL connection using a SCEP certificate to establish the identity of the user. The SCEP certificate is created as part of the MDM-provisioned profile that also includes the SSO extension configuration. The "certificateUUID" value in the extension data has the UUID of the SCEP payload. We have tried using SecItemCopyMatching to get the certificate from the KeyChain but it returns a "not found" error code. let query: [String: Any] = [kSecClass as String: kSecClassCertificate,                   kSecMatchSubjectContains as String: "user1",                   kSecMatchLimit as String: kSecMatchLimitOne,                   kSecReturnAttributes as String: true,                   kSecReturnData as String: true] var item: CFTypeRef? let status = SecItemCopyMatching(query as CFDictionary, &item) We also tried using an URLSession object without providing the client certificate, thinking that URLSession would get the certificate from the keychain on its own, but that didn't work. After installing the profile, we accessed the server successfully from Safari, so Safari is picking up the certificate from the keychain. The Kerberos SSO Extension is able to do a PKINIT certificate authentication using a SCEP certificate from its profile. So it seems as though any SSO extension should be able to do this. Or does the Kerberos SSO extension have some special permission that other SSO extensions do not have?

Hello, I'm implement some SSO features and have a question about ASWebAuthenticationSession and Safari can share cookies? In my demo, it can not share cookie, I looking for some way to do it. Thank you very much.

I have an App with bundleId in Xcode as "com.companyname.abc.123" when using ASAuthorizationProviderExtensionAuthorizationRequest with Enterprise Sso plugin feature, the callerBundleIdentifier shows a different (com.companyname.abc without 123 in the end) which failed our validation. Do we know where the callerBundleIdentifier comes from? I noticed something called audittoken as well from console logs, but no idea how it is generated.

I have a problem is we have some clients. And each client have difference Apple Development Id. But we want to share data between apps like Keychain Sharing or App Group but it require same Apple Development Id. So have any other ways for apps can share data with difference Apple Id?

I finding some for ways for turn off dialog popup when using ASAuthenticationSession. I also set prefersEphemeralWebBrowserSession = true for not display dialog confirm but it also turn off shared cookies between apps. So does Apple support anyway for still shared cookies and doesn't show any dialog confirm. Thank you very much.

We have an app (under development) which needs another app to login. Let's say App 1 already installed parent app on user device and we are developing App 2 which is dependent on App 1 for SSO login using oAuth. So my question is, If we submit app 2 for approval, how the review team will test it? will it be rejected ? what is the standard procedure in such cases?. Can we share the credentials of App 1 and Review team install App 1 and try ?

Hi, In a managed environment, will apps/enterprise SSO extensions have access to digital identities installed at a system-wide level? I did try with ASWebAuthentication/Safari, both of them can pick the certificate but the SSO extension with URLSession cannot. Is there a challenge that needs to be handled? I did try with redirect extension. Also, a native app that is only deployed in the managed environment can have access to the digital identity that is installed at the system level? What are my options to do a certificate authentication? Thanks

Hi I've built an SSO extension for my app. Now I would like to update the authsrv:login.myhost.com with additional associated domains generated by the MDM. The video here at 9:10 mark references the MDM associated domain ApplicationAttributes for iOS as the way to go. https://developer.apple.com/videos/play/tech-talks/301/ Is it just a matter of including: com.apple.developer.associated-domains.mdm-managed=YES in the entitlement file for both the app and the extension and having the MDM push down something like this in the profile? <dict> <key>AssociatedDomains</key> <array> <string>authsrv:login.myhost2.com</string> </array> </dict> Appreciate any guidance.

Hi Have a question around extensions and app group capabilities. I have an existing app using UserDefaults and if I want to introduce an SSO extension; the extension doesn't use or need any of the data created by the app and saved to UserDefaults. Will the app still have access to the UserDefaults or do I have move to UserDefaults(suiteName: "group.com.YourCompany.YourApp") even if UserDefaults is only used by the app? Many thanks

Hi, Our Application uses "Extensible SSO extension" due to which end-user is not able to delete the app The only workaround is: Kill below process: /System/Library/PrivateFrameworks/AppSSO.framework/Support/AppSSOAgent. And then delete app. Did anyone face same issue? Is this known issue? Any recommendations from Apple?

We have a Hybrid iOS Application build on Cordova Plugin, and it worked with Old Kerberos SSO -credential based authentication. Recently, we have updated the New Kerberos based SSO by following the presentation ( https://developer.apple.com/videos/play/tech-talks/301/ ) . After which the hybrid app is not prompting for the HTTP response challenge, but it should support for the New Kerberos SSO – credential-based authentication. We could see the response header has the below attribute for SSO handshake challenge.   Www-Authenticate: Negotiate, Basic realm="IBM Security Access Manager for Web" But the auth prompt screen is not appearing, and connection is throwing with 401-unauthenticated response. Note : We can see this below prompt for Old Kerb -SSO but it’s not showing up after New Kerberos SSO. System Specification: XCode – 13 Cordova 6.2.0 iPad -15.0 Please let us know if any solution would solve this. Thanks

I need to perform SSO login using WkWebView and I am not using SFSafariViewController because the URL which I use is a normal web URL and I need to stop loading of next page as soon as I get a ID value in the URL as Query parameter. Now, When I use WKWebView I am unable to logout the previous session saved in WKWebView itself until I manually clear the cache of it. is there any way I can sync Safari and WkWebView sessions, So, if I login in WkWebView I can logout the same from Safari. I have tried using ASWebAuthenticateSession but as I said I need to stop the next page reload. HELP!!!

Hi, I am trying to handle an event ->  when one app invoking SSO extension showing auth UI prompt is killed or force quit, perform certain operation in another app. Tried below steps : UseNSRunningApplication to identify the process id of SSO extension that shows the UI and store it in NSUserDefaults In the second app, check if the runningApp instance with the pid stored in NSUserDefaults isTerminated.  During testing it seems to be working. But would like to confirm Is this a reliable/acceptable approach -> An app extension of the Single Sign On type trying to use NSRunningApplication API to query another extension's activity state in a sandboxed process. Is there another better way of handling this scenario? Thanks in advance

Hi. We are using a native client for some federated services where we would like to use FIDO2. In IOS 14, WKWebView does not work for FIDO2, but FIDO 2 works with native Safari Browser.  Does WKWebView, SafariViewContoller or SSO extension ( in IOS 14 ) support FIDO 2 ?

Hello, We are developing/testing extensible enterprise single sign on (https://developer.apple.com/videos/play/tech-talks/301/). For development/test purpose, is it enough to setup a macos server (https://support.apple.com/macos/server, https://apps.apple.com/us/app/macos-server/id883878097?mt=12) and its mdm features ? Will I be able to use the payload com.apple.sso ( https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) ? Will I be able to "setup/enrol" any iPhone with the mdm ? Do I need a Developer Enterprise Program ? Or Is a Developer Program enough ? Do I need to apply to Apple Business ? Regards,