How Apple is improving single sign-on

Among a slew of announcements at WWDC this year were some important changes to Apple’s support for single sign-on (SSO). Here’s what’s coming when new updates ship this fall.

SSO + BYOD = iOS 16, iPadOS 16

Apple first introduced SSO support at WWDC 2019 with Sign in with Apple, which also saw the introduction of extensions to enable this kind of authentication. It allowed a user to access a service or website using their Apple ID, and meant support for identity providers, the use of highly secure token-based signatures and the tools service providers required to implement these systems.

That was v.1, and Apple has continued to improve its offerings since then. All the same, the reality is that because apps and services must be equipped to accept SSO, it’s sometimes necessary to use third-party authentication services such as Okta and others, or simply manual sign in to access some sites.

Apple at WWDC 2022 updated SSO with two critical enhancements:

• SSO support for user enrollment for iOS 16 and iPadOS 16.
• Platform SSO support to macOS Ventura.

What’s new in SSO support for user enrollment

What’s changed is that when enrolling an iOS device, users can now download a mobile app from their identity provider (IdP) to enable use of SSO on that device. The system also requires a Managed Apple ID set up using Apple Business or School Manager and use of an MDM (Mobile Device Management) system of some kind, such as Apple Business Essentials, Jamf, or Kandji, to name but three.

Apple also made it possible to use Apple Configurator for iPhone to add Macs, iPads, and iPhones to Apple Business or School Manager starting this fall. The company has also made it much easier to enroll personal devices to MDM.

The lightest explanation of how Apple’s system works is that once enrollment is complete, the IdP app remains active on the device to mediate app and service authentications. For an end user, the experience is that once they sign into their iPhone/iPad, they should not need to authenticate use of other supported apps and services.

What is Platform SSO support for Macs?

For Macs, the addition of Platform SSO support means users will be signed into all the apps and websites that make use of their  company’s IdP once they authenticate their Mac at login. As they use their computer, authentication will take place on strength of the first login, which was itself mediated by the IdP and stored in the keychain, which means everything takes place behind the scenes, subject to whatever authentication policy you adopt.

(Employees will still need their own logins to access personal sites, apps, and services, of course.)

Apple calls Platform SSO a replacement for Active Directory, but it does require that IdPs implement the protocol and also that device management vendors update their profiles to support it.

Apple also now supports OAuth 2.0 authentication. That’s an important step for both of the above features, as it makes it possible to support additional identity provision systems from third-party services. Apple Business Manager and Apple School Manager now support the federation of Managed Apple IDs with Google Workspace and Microsoft Azure AD.

The password is dead, so use strong ones

While all the above SSO improvements aim at easing friction for enterprise deployments, Apple’s focus is also on reducing the need for authorization on a more pluralistic basis. Its work to replace CAPTCHA technology with seamless authorization that also uses that first device login as the standard of trust means passwords will become less important. Ironically, that work — and SSO generally — also mean the primary passcode you and your employees use to access devices has become far, far more important. You really need these to be strong….

After all, with SSO if your master password is 1,2,3,4 it really isn’t going to take much effort to crack into your confidential systems. This rather suggests you should explain the need for strong device passwords (and biometric authorization) to your employees before Apple ships its new systems in later this year.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.