Authentication process

Overview

Platform SSO supports several methods to authenticate with an identity provider (IdP) that stores and verfies user identities. Each method includes specific steps to complete the authentication process. At a high level, authentication begins with the system requesting a server nonce, which includes an anti-replay value. Next, the system creates a login request per requirements of the authentication method, sends the request, receives a response, and processes it.

This flowchart provides a high-level overview of authentication using password, secure enclave key, SmartCard, and encrypted password:

[Image]

For password and encrypted password authentication, the IdP uses the local account password and keeps it in sync, including password updates from the login window and screensaver unlock. The secure enclave key authenticates with the IdP without a password and without changing the local password, and high-security customers can use a SmartCard to authenticate with the IdP.

Platform SSO also facilitates federated authentication with WS-Trust. Federation enables authentication between security domains, such as from a local IdP to a cloud IdP. In WS-Trust authentication, a federated IdP uses the local account password for authentication.

This flowchart provides a high-level overview of WS-Trust authentication, which includes preauthentication (for dynamic WS-Trust), obtaining federation metadata, authenticating with a federated IdP, and logging in with the IdP:

[Image]

Support TLS and system CA requirements

Because the login process can happen on any network, the system sends all HTTP requests using Transport Layer Security (TLS) and uses the current App Transport Security settings. The requests explicitly require that the system-provided root certificate authorities (CAs) include the issuer of the TLS certificate. The system doesn’t trust user-trusted or MDM-provided CAs for these requests. It limits these CAs to ensure the TLS tunnel to the identity provider doesn’t include any third-party products with security vulnerabilities or intentionally malicious code.

Topics

Pre-login

• Obtaining a server nonce
• Performing a preauthentication request
• Performing a WS-Trust metadata exchange data (MEX) request

Login request

• Performing a WS-Trust login request
• Creating an embedded assertion
• Creating an encrypted embedded assertion
• Creating and validating a login request
• Creating a refresh request
• Supporting key requests and key exchange requests

Login response

• Creating a JSON Web Encryption (JWE) login response
• Processing the JSON Web Encryption (JWE) login response
• Performing encryption verification

See Also

Authentication

• ASAuthorizationProviderExtensionKerberosMapping