Can we achieve the if Any user login into iOS App Through MSAL in azure and it is authenticate and then if I open a webApp into Device Safari then it should automatically sign in and vice versa if do sso on WebApp then iOS App Login
Yes, we can achieve in SSO and web app using Azure using silent SSO between multiple apps.
This type of SSO works between multiple apps distributed by the same Apple Developer. It provides silent SSO (that is, the user isn't prompted for credentials) by reading refresh tokens written by other apps from the keychain, and exchanging them for access tokens silently.
Microsoft provides apps, called brokers, that enable SSO between applications from different vendors as long as the mobile device is registered with Azure Active Directory (AAD). This type of SSO requires a broker application be installed on the user's device.
SSO between MSAL and Safari
Silent SSO between multiple apps need to ensure the following points.
Ensure that all your applications use the same Client ID or Application ID.
Ensure that all of your applications share the same signing certificate from Apple so that you can share keychains.
Request the same keychain entitlement for each of your applications.
Tell the MSAL SDKs about the shared keychain you want us to use if it's different from the default one.
Here are the details information about SSO for IOS and MAC OS.
Related
Is it possible to SSO into a 3rd party mobile application from Azure AD B2C secured mobile application directly?(app to app)
I know we can do app to web to app using an interim auth web page as bridge but I was wondering if direct communication and SSO possible between apps? Let's say platform is iOS and app1 is secured with Azure AD B2C and app2 is with another IDP and we would like to jump from app1 into app2 without logging in again. If possible which protocol should we choose (oAuth, OpenID, SAML) and which libraries AppAuth, MSAL etc. should we consider using
Hope it is clear if not pls comment and I will extend the question
If you are just trying to open a second app and auto-sign on with some credentials, app2 can define a custom URL scheme. Then app1 can use that scheme to open the app and provide the credentials/token.
More About Apple URL Schemes.
caveat: I have not implemented this myself.
I am new in Azure world but I have to design something which is I have 2 applications who will use azure AD b2c for authentication and Is it possible in azure where I can sign in one application and other applications automatically sign with the same access token (In iOS I can use keychain sharing to share the information among the applications)?
Thanks
Can a cross-app SSO using ADAL be attempted using the Microsoft Intune Company Portal credentials provided when a device was enrolled?
The idea is to publish an app using this portal and fetch some data from the Graph endpoints without having to re-authorize the user as the app was deployed on a MDM managed device...
Thanks in advance.
We're building an iOS native app together with two web apps. For identiy/access management we are using Keycloak (supports OpenID Connect and OAuth 2.0).
The iOS apps are installed on MDM managed devices. Only our apps are installed.
I learnt that the current best practice for implementing authentication/authorization is to use OpenId Connect and a browser based flow through an external user agent:
http://lists.jboss.org/pipermail/keycloak-dev/2016-May/007259.html
https://www.rfc-editor.org/rfc/rfc8252.txt
https://auth0.com/blog/oauth-2-best-practices-for-native-apps/
using one of these libraries:
https://github.com/openid/AppAuth-iOS
https://github.com/aerogear/aerogear-ios-oauth2
Is it also recommended for MDM managed iOS devices (with no "evil" third party apps, just our own stuff) to implement a browser based flow? Or is it safe in this case to implement a native login flow (user enters credentials directly into the app)?
I am worried about the user experience... That switch between our app and the browser does not look very smooth...
There is an RFC about OAuth2 for native apps. It's worth reading - it discusses possible implementations and security risks involved. The general recommended way is to use the authorization code flow in a browser (not an internal application component), because this way the application cannot get the user credentials. People use to trust the browser and the authentication provider more than other apps, so the visibility of URL and the verified SSL certificate is important too.
The RFC covers also the iOS implementation details:
Apps can initiate an authorization request in the browser, without the
user leaving the app, through the "SFSafariViewController" class or
its successor "SFAuthenticationSession", which implement the in- app
browser tab pattern. Safari can be used to handle requests on old
versions of iOS without in-app browser tab functionality.
So if you use the SFAuthenticationSession you don't need to open a new Safari window and the user experience should not suffer.
If you use the Resource Owner Password Credentials grant (users enter their credentials into your application directly), you will make it less secure for the same reasons - the credentials get exposed to the application. And using this grant, you cannot use the third party authentication providers in Keycloak (Google, Facebook).
It's up to you (and your organization) how much secure you want the system to be, so you can opt for some compromises, but I would rather stick to the current best practices, since the app may grow later the compromises may turn to problems.
I am trying to implement enterprise mobile SSO with our Identity Provider (OKTA). My goal is to have a smooth user experience; the user shouldn't leave our custom built app in order to login to the identity provider.
OKTA has a native iOS app that facilitates the process. During the login, it is possible to forward the user to the OKTA Native App, do the authentication and bring the user back to the custom app. The process looks like (image is taken from http://tech.blog.box.com/2013/03/rethinking-mobile-sso/):
What I am trying to is to avoid the opening of the Native SSO App (the first 2 steps). OKTA provides a REST API that allows the user to authenticate and create sessions programmatically (and more http://developer.okta.com/docs/getting_started/design_principles.html).
The question is: After creating a session with the native SSO App (OKTA) via its REST API and getting the auth token, can I authenticate directly with the Service Provider from my custom native iOS app?
Okta provides a method for native app sso on iOS that allows the user start in your app, and have an SSO experience. In this case the Okta Mobile App serves as the identity provider. So long as the user has a session within Okta Mobile, they can access your custom native app without entering their credentials. If the user's session in Okta Mobile has ended, they can re-authenticate with their PIN.
More details on the standards-based framework (SAML + iOS) are available here:
http://developer.okta.com/docs/getting_started/saml_guidance.html#saml-for-mobile-native-apps
https://github.com/okta/okta-mobile-sdk