On demand rule to connect for all domains and using broker app for auth

App & System Services Networking
boscpear OP
Created Jan ’25
Replies 8
Boosts 0
Views 285
Participants 2

In https://developer.apple.com/forums/thread/128705?answerId=405119022#405119022, it is said that

But if it’s holding up connections that match the on demand rules, that’s the correct behaviour.

So if there was an on demand rule to connect for all domains (Connect rule without any matching criteria), all traffic would be held up while in the connecting state. The problem is that a customer can have SSO configured so that auth happens outside of the vpn app. So sequence would be

  1. Connect for all domains on demand rule triggers vpn connection
  2. VPN, in order to connect, tries auth through a broker app.
  3. VPN is in connecting state and blocks broker app traffic and so auth cannot complete and it cannot connect.

I tried adding an on demand rule for EvaluateConnection and never connect for the auth domains. However, that caused the vpn to never be triggered to connect.

Is it possible to support the scenario of an on demand rule to connect for all domains while having a vpn connection dependent on auth done in a separate app? Do you have any recommendations?

Answered by DTS Engineer in 821851022

Oh wow, I’m surprised you got this far. Conceptually, packet tunnel providers are non-UI code that live deep in the networking stack, while Authentication Services is intended to be used by apps.

Which isn’t to say that your overall goal is wrong, just that I’m surprised that it works at all.

Regarding that overall goal, I don’t see a way to make this setup work. It’s kinda like you need a ‘but not matching’ list to the connect rule (or the evaluation connection rule), and nothing like that currently exists.

My only suggestion is that you file a bug [1] about this. File it against Network Extension, but make it clear that it’d be fine if the solution was part of the SSO space [2].

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Or is it an enhancement request? Well, I think this is one of the cases where that doesn’t matter.

[2] For example, a way for a site admin to configure SSO to opt out of VPN On Demand.

Replies  8
Boosts  0
Views  285
Participants  2
DTS Engineer OP
Apple
Jan ’25

Is the VPN in question an NE provider that you created? Or are you seeing this with a built-in VPN, like IKEv2? Or an NE provider from another developer?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
boscpear OP
Jan ’25

The VPN is an NE provider that we created. (It uses PacketTunnelProvider.)

0
DTS Engineer OP
Apple
Jan ’25

Thanks for confirming that.

So how does your packet tunnel provider trigger the SSO auth? Are you issue HTTP requests with URLSession?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
boscpear OP
Jan ’25

Our packet tunnel provider is just requesting a silent token through MSAL. I believe MSAL triggers the SSO auth here: https://github.com/AzureAD/microsoft-authentication-library-common-for-objc/blob/f6048060f96b54d5debdc2a4d53cdeee86209518/IdentityCore/src/requests/broker/MSIDSSOExtensionSilentTokenRequest.m#L206C1-L229C1

0
DTS Engineer OP
Apple
Jan ’25

So you’re calling Authentication Services from within your packet tunnel provider process?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
boscpear OP
Jan ’25

Yes, Authentication Services is being called from the packet tunnel provider process (However, indirectly via the MSAL SDK).

0
DTS Engineer OP
Apple
Jan ’25
Accepted Answer
Recommended

Oh wow, I’m surprised you got this far. Conceptually, packet tunnel providers are non-UI code that live deep in the networking stack, while Authentication Services is intended to be used by apps.

Which isn’t to say that your overall goal is wrong, just that I’m surprised that it works at all.

Regarding that overall goal, I don’t see a way to make this setup work. It’s kinda like you need a ‘but not matching’ list to the connect rule (or the evaluation connection rule), and nothing like that currently exists.

My only suggestion is that you file a bug [1] about this. File it against Network Extension, but make it clear that it’d be fine if the solution was part of the SSO space [2].

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Or is it an enhancement request? Well, I think this is one of the cases where that doesn’t matter.

[2] For example, a way for a site admin to configure SSO to opt out of VPN On Demand.

0
boscpear OP
Jan ’25

The packet tunnel provider is only using Authentication services without UI. If user interaction is required then it is expected for the auth from packet tunnel provider to fail.

Filed FB16381436.

0
On demand rule to connect for all domains and using broker app for auth
First post date Last post date
 
 
Q