SSOe Plug-ins and Libraries (Single Login)

Single Sign-on extension plug-ins

Single Sign-on extension plug-ins are frameworks written and provided by 3rd party developers who wish to connect the Apple SSO Framework with their own authentication framework.

Microsoft Authenticator

Microsoft Authenticator is an application that provides iOS/iPadOS users an ability to authenticate with their Microsoft credentials. When used without an MDM server, Authenticator provides two factor authentication (2FA), password less, or password autofill features.

Used with an MDM server, Microsoft Authenticator can be configured for Shared Device Mode which allows for multi-user workflows. This setting is enabled by deploying a Managed AppConfig payload that sets the SharedDeviceMode key to true.

🚧

Notice

Microsoft Enterprise SSO plug-in for Apple devices is currently in public preview and isn't recommended for production workflows.
Read more

Authentication Libraries for Single Login

Some Identity Providers (IdP) are developing their own authentication libraries in Swift to take advantage of Apple's SSO framework. These libraries are designed to make the authentication process easier and bridge the gap between Apple's SSO framework and the IdP's authentication framework.

Microsoft Authentication Library (GA)

The Microsoft Authentication Library, currently in Preview, is the easiest way to leverage the Microsoft Authenticator SSO plug-in for iOS devices. The MSAL library is provided by Microsoft to provision applications with support for Azure Active Directory and Microsoft Accounts. The library uses OAuth2 and OpenID Connect (OIDC) technologies to provide modern and secure authentication methods.
Read more about MSAL for Swift on Microsoft's website or on GitHub.

Notable Methods

getDeviceInformation - reads current device information, including whether or not SharedDeviceMode is enabled.

acquireToken - prompts for user interaction to perform the authentication. This method should be used when there is no user logged in or if the access token has become invalid or expired.

acquireTokenSilent - used when the app detects that there is a user logged in and the access token is valid. This is the method that allows a user to log in to applications automatically, and is essential for the Single Login workflow.


What’s Next

Review external resources