Persistent Tokens for Keychain Unlock in Platform SSO

Question

Created 4d

Replies 5

Boosts 0

Participants 2

While working with Platform SSO on macOS, I’m trying to better understand how the system handles cases where a user’s local account password becomes unsynchronized with their Identity Provider (IdP) password—for example, when the device is offline during a password change.

My assumption is that macOS may store some form of persistent token during the Platform SSO user registration process (such as a certificate or similar credential), and that this token could allow the system to unlock the user’s login keychain even if the local password no longer matches the IdP password.

I’m hoping to get clarification on the following:

Does macOS actually use a persistent token to unlock the login keychain when the local account password is out of sync with the IdP password? If so, how is that mechanism designed to work?

If such a capability exists, is it something developers can leverage to enable a true passwordless authentication experience at the login window and lock screen (i.e., avoiding the need for a local password fallback)?

I’m trying to confirm what macOS officially supports so I can understand whether passwordless login is achievable using the persistent-token approach.

Thanks in advance for any clarification.

Answered by DTS Engineer in 876428022

I asked about this internally and the answer is that the machinery used by Platform SSO isn’t something available to third-party developers (other than via Platform SSO itself, of course).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

3d

Recommended

I asked about this internally and the answer is that the machinery used by Platform SSO isn’t something available to third-party developers (other than via Platform SSO itself, of course).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

siddhant-mac OP

2d

Thanks again for the clarification.

With Platform SSO enabled, is it possible to support a fully passwordless experience at the macOS login window and lock screen, without requiring a local account password fallback ?

0

Answer 3

DTS Engineer OP

Apple

1d

I can’t see how you’d make that work given that no third-party code can run at the FileVault unlock screen.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

siddhant-mac OP

1d

Maybe not on the FileVault unlock screen, but is it possible on the macOS login window?

If FDE auto-login is disabled, the user lands on the standard login window after authenticating with FileVault. I can use an authorization plugin on that login window, but is there a way to leverage a persistent token or any other mechanism to enable passwordless authentication at this stage ?

0

Answer 5

DTS Engineer OP

Apple

13h

is it possible on the macOS login window?

That depends on what you mean by “it”:

If you’re asking whether it’s possible to reuse infrastructure used by Platform SSO then the answer is “No.”
If you’re asking whether it’s possible to create an authorisation plug-in that presents a completely passwordless experience, the answer is more nuanced. You can certainly make a lot of progress, but I don’t think there’s a complete solution. Sticking points involve FileVault, as I’ve mentioned above, and unlocking the keychain. This is especially problematic when it comes to the data protection keychain.

Honestly, I don’t see a good path forward for this. The authorisation plug-in mechanism has significant issues, and I’m doubtful they’ll be addressed because of limitations in that architecture. Specifically, FileVault support is pretty critical and it’s hard to see how that can happen within the current design.

The only option I see is to file an enhancement request that carefully outlines your requirements and why our current setup won’t work for.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0