Intro to federated authentication with Apple School Manager
You use federated authentication to link Apple School Manager to your instance of Microsoft Azure Active Directory (Azure AD). As a result, your users can leverage their Azure AD user names (User Principal Name) and passwords as Managed Apple IDs. They can then use their Azure AD credentials to sign in to their assigned iPad or Mac and even to iCloud on the web. Students can also use it to sign in on Shared iPad.
If you’re attempting to federate a domain you have already verified but another organization has already federated the identical domain, you must contact that organization to determine who has the authority to federate the domain. See About domain conflicts.
Important: Federated authentication requires that a user’s User Principal Name (UPN) match their email address. User Principal Name aliases and Alternate IDs aren’t supported.
To use federated authentication with Apple School Manager, your Apple devices must meet the following requirements:
iOS 11.3 or later
iPadOS 13.1 or later
macOS 10.13.4 or later
Azure AD is the Identity Provider (IdP) that authenticates the user for Apple School Manager and issues authentication tokens. Because Apple School Manager supports Azure AD, other IdPs that connect to Azure AD—like Active Directory Federated Services (AD FS)—will also work with Apple School Manager. Federated authentication uses Security Assertion Markup Language (SAML) to connect Apple School Manager to Azure AD.
Note: Users can’t sign in to iCloud.com unless they first sign in with their Managed Apple ID on another Apple device.
Federated authentication and System for Cross-domain Identity Management (SCIM)
To add the Apple School Manager Azure AD app with Microsoft tenants, the administrator of the tenants must go through the federated authentication setup process, including testing authentication. When successful, the Apple School Manager Azure AD app is populated in the tenant and the administrator can federate domains and configure Apple School Manager to use SCIM. See Review SCIM requirements.
There are three scenarios where you might use federated authentication:
Federated authentication only
When you link to Azure AD, Managed Apple IDs are created for users when they simply sign in with the same user name and password they use with Azure AD services. If a user is removed from Azure AD, that user can be removed from Apple School Manager.
Federated authentication and Shared iPad
When you use federated authentication with Shared iPad, the sign-in process is different depending on whether the user already exists in Apple School Manager. To view the sign-in scenarios with Shared iPad and Apple School Manager, see Shared iPad overview.
The default passcode policy is standard (8 or more letters and numbers) and can be changed. See Password policy scenarios.
If the user forgets their passcode, you must Reset a Shared iPad passcode.
Federated authentication with users from other sources
When you link to Azure AD, Managed Apple IDs are automatically created for users, and they simply sign in with their current email address as their Managed Apple ID.
You then link to your SIS or upload files with SFTP. All information, such as classes and rosters, are matched against users from your Azure AD service. If a user is removed from Azure AD, that user must be deactivated in Apple School Manager by an account with privileges to change the status of users.
Important: If you’re connecting to a Student Information System (SIS) or importing users with Secure File Transfer Protocol (SFTP), and using federated authentication, the user’s email address in SIS must match their Azure AD user name that they already use to sign in.