We are implementing Platform SSO with Secure Enclave–based authentication.
In a standard (post-enrollment) flow, everything behaves as expected:
- Authentication uses
urn:ietf:params:oauth:grant-type:jwt-bearer - The Secure Enclave–backed credential is used correctly
However, when using Automated Device Enrollment (ADE) with Simplified Setup, we observe different behavior:
- After device registration, Platform SSO triggers a login request to our IdP
- That request uses
grant_type=password - Instead of the expected
urn:ietf:params:oauth:grant-type:jwt-bearer
This occurs even though:
- The configuration specifies Secure Enclave as the authentication method
- The same configuration works as expected outside ADE
Questions:
- Is this password grant during ADE / Simplified Setup an expected bootstrap flow?
- Is there any official documentation describing this?
This behavior is currently undocumented, and clarification would help ensure correct IdP implementation.