Single sign-on security
Single sign-on
iOS and iPadOS support authentication to enterprise networks through Single sign-on (SSO). SSO works with Kerberos-based networks to authenticate users to services they are authorized to access. SSO can be used for a range of network activities, from secure Safari sessions to third-party apps. Certificate-based authentication such as PKINIT is also supported.
macOS supports authentication to enterprise networks using Kerberos. Apps can use Kerberos to authenticate users to services they’re authorized to access. Kerberos can also be used for a range of network activities, from secure Safari sessions and network file system authentication to third-party apps. Certificate-based authentication is supported, although app adoption of a developer API is required.
iOS, iPadOS, and macOS SSO use SPNEGO tokens and the HTTP Negotiate protocol to work with Kerberos-based authentication gateways and Windows Integrated Authentication systems that support Kerberos tickets. SSO support is based on the open source Heimdal project.
The following encryption types are supported in iOS, iPadOS, and macOS:
AES-128-CTS-HMAC-SHA1-96
AES-256-CTS-HMAC-SHA1-96
DES3-CBC-SHA1
ARCFOUR-HMAC-MD5
Safari supports SSO, and third-party apps that use standard iOS and iPadOS networking APIs can also be configured to use it. To configure SSO, iOS and iPadOS support a configuration profile payload that allows mobile device management (MDM) solutions to push down the necessary settings. This includes setting the user principal name (that is, the Active Directory user account) and Kerberos realm settings, as well as configuring which apps and Safari web URLs should be allowed to use SSO.
Extensible single sign-on
App developers can provide their own single sign-on implementations using SSO extensions. SSO extensions are invoked when a native or web app needs to use some identity provider for user authentication. Developers can provide two types of extensions: those that redirect to HTTPS and those that use a challenge/response mechanism such as Kerberos. This allows OpenID, OAuth, SAML2 and Kerberos authentication schemes to be supported by extensible single sign-on. SSO extensions may also support macOS authentication by adopting a native SSO protocol, which allows to retrieve SSO tokens during macOS login.
To use a single sign-on extension, an app can either use the AuthenticationServices API or can rely on the URL interception mechanism offered by the operating system. WebKit and CFNetwork provide an interception layer that permits seamless support of single sign-on for any native or WebKit app. For a single sign-on extension to be invoked, a configuration provided by an administrator has to be installed though a mobile device management (MDM) profile. In addition, redirect type extensions must use the Associated Domains payload to prove that the identity server they support is aware of their existence.
The only extension provided with the operating system is the Kerberos SSO extension.