AirWatch allows access to iOS applications with single sign on enabled in two phases. AirWatch checks the identity of the application user and then it secures access to the application.

Requirements for Use in Applications that Use SDK Functions

To use the SSO function, ensure these components are set.

  • Enable the SSO setting in the SDK default settings and policies in the AirWatch Console.
  • Initialize the SDK in the AppDelegate.
  • Ensure an anchor application is on devices like the AirWatch Agent or Workspace ONE. The anchor application deployment is part of the AirWatch mobile device management system.

Query the Current SSO Status

To query the SSO status of the iOS application, wait for the initialCheckDone method to finish. Look in the DeviceInformationController class for the ssoStatus property. If the initialCheckDone method is not finished, the SSO status returns as SSO disabled.

Application Access With SSO Enabled

The authentication process to an application with AirWatch SSO enabled follows the general depiction.

SSO02

The first phase ensures that the user's credentials are valid. The system identifies the user first by silent login. If the silent login process fails, then the system uses a configured, authentication system. AirWatch supports username and password, token, and SAML.

The second phase grants the user access to the application and keeps the session live with a recurring authentication process. AirWatch supports passcode, username and password, and no authentication (disabled).

Authentication Behavior By SSO Configuration

The SSO configuration controls the login behavior users experience when they access applications. The authentication setting and the SSO setting affect the experience of accessing the application.

Authentication phase SSO enabled SSO disabled
Passcode
Identify

Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).

Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).

Secure

Prompt if passcode exists: The system does not prompt for the passcode if the session instance is live.

Prompt if passcode does not exist: The system prompts users to create a passcode.

Session shared: The system shares the session instance across applications configured with AirWatch SSO enabled.

Prompt if passcode exists: The system prompts users the application passcodes.

Prompt if passcode does not exist: The system prompts users to create a passcode.

Session not shared: The system does not share the session or the passcode with other applications.

Username and password
Identify

Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).

Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system prompts for application login credentials.

Secure

Prompt: The system does not prompt for the login credentials if the session instance is live.

Session shared: The system shares the session instance across applications configured with AirWatch SSO enabled.

Prompt: The system prompts for the login credentials for the application on every access attempt.

Session not shared: The system does not share the session with other applications.

Disabled
Identify Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).

Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system prompts for application login credentials.

Secure

Prompt: The system does not prompt users for authentication.

Prompt: The system does not prompt users for authentication.