How does an SSO Extension access a SCEP certificate from its associated profile so that it can make a client SSL connection?
We are creating a Credential SSO extension where the extension must make a client-auth SSL connection using a SCEP certificate to establish the identity of the user. The SCEP certificate is created as part of the MDM-provisioned profile that also includes the SSO extension configuration. The "certificateUUID" value in the extension data has the UUID of the SCEP payload.
We have tried using SecItemCopyMatching to get the certificate from the KeyChain but it returns a "not found" error code.
let query: [String: Any] = [kSecClass as String: kSecClassCertificate,
kSecMatchSubjectContains as String: "user1",
kSecMatchLimit as String: kSecMatchLimitOne,
kSecReturnAttributes as String: true,
kSecReturnData as String: true]
var item: CFTypeRef?
let status = SecItemCopyMatching(query as CFDictionary, &item)
We also tried using an URLSession object without providing the client certificate, thinking that URLSession would get the certificate from the keychain on its own, but that didn't work.
After installing the profile, we accessed the server successfully from Safari, so Safari is picking up the certificate from the keychain.
The Kerberos SSO Extension is able to do a PKINIT certificate authentication using a SCEP certificate from its profile. So it seems as though any SSO extension should be able to do this. Or does the Kerberos SSO extension have some special permission that other SSO extensions do not have?