Q: Single Sign-on using Certificates for Renewal

Hi,

We are currently in the process of implementing Single Sing-on for our enterprise iOS apps and intranet and is this process we would like to understand how this is implemented in iOS (high level). We have an Active Directory, an MDM solution, and Kerberos working perfect together with Single Sign-on in the iOS devices. We have also tried out the option of using certificates for renewal of Ticket Granting Tickets and this seems to be working, but we are not able to find any documentation on this. From https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProf ileRef/Introduction/Introduction.htmlwe have:

-- snippet --

PayloadCertificateUUID

Optional. The PayloadUUID of an identity certificate payload that can be used to renew the Kerberos credential without user interaction. The certificate payload must have either the com.apple.security.pkcs12 or com.apple.security.scep payload type. Both the Single Sign On payload and the identity certificate payload must be included in the same configuration profile

-- snippet --

And from https://www.apple.com/business/docs/iOS_Security_Guide.pdf we have:

-- snippet --

iOS supports authentication to enterprise networks through Single Sign-on (SSO). SSO works with Kerberos-based networks to authenticate users to services they are authorized to access. SSO can be used for a range of network activities, from secure Safari sessions to third-party apps.

iOS SSO utilizes SPNEGO tokens and the HTTP Negotiate protocol to work with Kerberos-based authentication gateways and Windows Integrated Authentication systems that support Kerberos tickets. Certi cated-based authentication is also supported. SSO support is based on the open source Heimdal project.

The following encryption types are supported: • AES128-CTS-HMAC-SHA1-96
• AES256-CTS-HMAC-SHA1-96
• DES3-CBC-SHA1

• ARCFOUR-HMAC-MD5

Safari supports SSO, and third-party apps that use standard iOS networking APIs can also be con gured to use it. To con gure SSO, iOS supports a con guration pro le payload that allows MDM servers to push down the necessary settings. This includes setting the user principal name (that is, the Active Directory user account) and Kerberos realm settings, as well as con guring which apps and/or Safari web URLs should be allowed to use SSO.

-- snippet --

I.e. how does TGT renewal work with certificates, i.e. the automatically re-authentication of the user when the user's Single Sign-on session expires. Is the implementation based on PK-INIT?

Anyone?, thanks!

Kind regards

Anders Sejersbøl