25

I have a question about one of new features in iOS 7 - Single Sign On.

Are there any detailed info about it? Has somebody already tried it for implementation? I searched a lot of articles and docs - but did not find any useful. I also did not find any detailed info on Apple and Developers Apple resources. There are no visual setting for SSO in iOS 7 GM version (I am not sure if it should be there).

So my question is - have somebody already investigated it and may be somebody can share some links and useful info? Are there any technical descriptions of this feature and is it existed some how in iOS 7 GM?

Thanks in advance.

David V
  • 11,531
  • 5
  • 42
  • 66
Anton Holub
  • 468
  • 1
  • 5
  • 9
  • 2
    No. SSO is a new native feature in iOS 7. http://www.apple.com/ios/business/ - is a link to new iOS 7 features, and you can find next there: Enterprise single sign on. Authenticating into corporate apps is now as simple as doing it once. Enterprise single sign on (SSO) means user credentials can be used across apps, including apps from the App Store. Each new app configured with SSO verifies user permissions for enterprise resources, and logs users in without requiring them to reenter passwords. It is something like single sign in for several apps. Are there any detailed info for it? – Anton Holub Sep 15 '13 at 16:22
  • Did you find something about this? I am trying to get something. And Apple's marketing paragraph is not helpful. – Steven Oct 10 '13 at 13:09
  • Steven, unfortunately no... If I find anything I will comment here... Hoping you will do the same ;) – Anton Holub Oct 10 '13 at 14:23
  • Don't know if this is the answer or not, but I managed to find this: https://devforums.apple.com/message/858711 – Steven Oct 10 '13 at 17:46
  • @Steven, your link is dead. – Heath Borders Mar 07 '14 at 19:53
  • 1
    @HeathBorders No, its not. You will need to have a Apple Developer Account to view the content. I just checked and I can see it. – Steven Mar 10 '14 at 12:27
  • @Steven, after login, your link is still dead. really. – holex Aug 06 '14 at 11:30
  • @holex I don't know what to say. I checked the link and I can still see the article. Not sure if this helps, but I am enrolled in the iOS Developer program and my account is part of my company's account which have enterprise settings. Either way, there is already an answer available on this thread. Maybe follow that. – Steven Aug 13 '14 at 12:41
  • @Steven, it can be available only for Enterprise partners... – holex Aug 13 '14 at 14:12

3 Answers3

14

I would recommend watching WWDC 2013 Session 301 "Extending Your Apps for Enterprise and Education Use"

Also, for an overview of an implementation of this functionality this site helps.

Lastly, here is Apple's documentation (available to developers). Look for the heading: Single Sign-On Account Payload.

Configuring SSO on a device will require Apple Configurator to install the profile or an MDM solution for OTA delivery of the SSO profile.

Emil
  • 7,220
  • 17
  • 76
  • 135
james_fuller
  • 454
  • 4
  • 4
  • Here's another good link for setting this up for safari: http://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-7/ – Aardvark Aug 09 '14 at 11:23
10

To make SSO (Kerberos) working on iOS7 you need 3 things:

  1. On the server side: Kerberos environment + HTTP SPNego/Kerberos authentication configured. SSO in iOS works only for HTTP(S).

  2. Configuration profile containing:

    • [Obligatory] Your Kerberos realm.
    • [Obligatory] Your Kerberos principal (usually username), this can be left empty - in that case user will be asked to specify it during the profile installation.
    • [Obligatory] List of URL prefixes of the pages allowed to use SSO. Wildcards cannot be used here, if the prefix doesn't end with slash character, it will be automatically appended to it.
    • [Optional] List of bundle IDs allowed to use SSO, if empty all applications are allowed. Wildcards in bundle IDs can be used.

  3. Application that supports it, Safari and WebKit (UIWebView class) do. As described in WWDC 2013 Session Videos number 301, you have to use either NSURLConnection or NSURLSession class. This is a simplified example of the HTTP traffic when authenticating using the SPNego scheme:

Client: GET https://login.example.com/adfs/ls/auth/integrated/?data1=aa&data2=...

Server: 401 Unathorized

+header WWW-Authentificate: Negotiate

Client: GET https://login.example.com/adfs/ls/auth/integrated/?data1=aa&data2=...

+header Authorization: Negotiate [SPNegotInitToken]

Server: 200 OK

+header Authorization: Negotiate [SpnegoTargToken]

+header set-cookie [SESSIONID]

The dialog with prompt for the Kerberos password (if the Kerberos ticket has not yet been granted/expired) will appear after receiving "WWW-Authentificate". Obj-C classes will handle automatically all the redirects and authentication process, so the only thing you need is to make a request to the login URL and allow this URL in the profile.

Mathias M
  • 483
  • 1
  • 5
  • 14
2

Enterprise Single Sign On lets user sign in once on their device and let all apps on device use it fo authentication.In case of twitter, links below will be useful for you,

https://dev.twitter.com/discussions/8231.

http://eflorenzano.com/blog/2012/04/18/using-twitter-ios5-integration-single-sign-on/

Bhushan
  • 175
  • 1
  • 9
  • 3
    YOu linked to iOS 5 and Twitter. The Author asked for iOS 7, which is natively supported. I am looking for those information as well. – Steven Oct 10 '13 at 13:10