Intro to Single sign-on with Apple devices
Single sign-on (SSO) is a process in which a user provides authentication information once and receives a ticket to access resources for as long as the ticket is valid. This process lets users maintain secure access to resources without being asked for credentials every time they request access. It also increases the security of daily app use, by ensuring that passwords are never transmitted over the network.
Apps can take advantage of your existing in-house single sign-on (SSO) infrastructure via Kerberos, the most commonly deployed SSO technology. If you have Active Directory, eDirectory or Open Directory, it’s likely that a Kerberos system is already in place. Apple devices need to be able to contact the Kerberos service over a network connection to authenticate users. Certificates can be used to silently renew a Kerberos ticket, letting users maintain connections to certain services that leverage Kerberos for authentication.
iOS and iPadOS provide flexible support for Kerberos SSO to any app that uses the NSURLConnection or NSURLSession class to manage network connections and authentication. Apple provides all developers with these high-level frameworks to seamlessly integrate network connections within their apps.
Configure single sign-on
You configure SSO using configuration profiles, which can be either manually installed or managed with MDM. The SSO payload allows flexible configuration. SSO can be open to all apps, or restricted by app identifier, service URL, or both.
Simple string pattern matching is used when comparing a pattern against the prefix of a requested URL. As such, patterns must begin with either http:// or https:// and won’t match differing port numbers. If a URL matching pattern doesn’t end with a slash (/), a slash is appended.
For example, https://www.example.com/ matches https://www.example.com/index.html but won’t match http://www.example.com or https://www.example.com:443/.
A single wildcard may also be used to specify missing subdomains. For example, http://*.example.com/ will match http://store.example.com/.