Workspace ONE UEM allows access to iOS applications with single sign on enabled in two phases. Workspace ONE UEM checks the identity of the application user and then it secures access to the application.

Requirements for Use in Applications that Use SDK Functions

To use the SSO function, ensure these components are set.

  • Enable the SSO setting in the SDK default settings and policies in the Workspace ONE UEM console.
  • Initialize the SDK in the AppDelegate.
  • Ensure an anchor application is on devices like the AirWatch Agent or Workspace ONE. The anchor application deployment is part of the Workspace ONE UEM mobile device management system.

Query the Current SSO Status

To query the SSO status of the iOS application, wait for the controllerDidFinishInitialCheck method to finish. Look in the DeviceInformationController class for the ssoStatus property. If the controllerDidFinishInitialCheck method is not finished, the SSO status returns as SSO disabled.

Application Access With SSO Enabled

The authentication process to an application with Workspace ONE UEM SSO enabled follows the general process.

 

Access Phase User Actions Authentication Method
Identify for app access Install app
Log in to app
  • Silent login (managed MDM token)
  • Authenticate (username and password, token, or SAML)
     
Secure persistent app access Successfully log in
Access app

Recurring authentication

  • Passcode
  • Username and password
  • Disabled

The first phase ensures that the user's credentials are valid. The system identifies the user first by silent login. If the silent login process fails, then the system uses a configured, authentication system. Workspace ONE UEM supports username and password, token, and SAML.

The second phase grants the user access to the application and keeps the session live with a recurring authentication process. Workspace ONE UEM supports passcode, username and password, and no authentication (disabled).

Authentication Behavior By SSO Configuration

The SSO configuration controls the login behavior users experience when they access applications. The authentication setting and the SSO setting affect the experience of accessing the application.

Authentication phase SSO enabled SSO disabled
Passcode
Identify

Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).

Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).

Secure

Prompt if passcode exists: The system does not prompt for the passcode if the session instance is live.

Prompt if passcode does not exist: The system prompts users to create a passcode.

Session shared: The system shares the session instance across applications configured with Workspace ONE UEM SSO enabled.

Prompt if passcode exists: The system prompts users the application passcodes.

Prompt if passcode does not exist: The system prompts users to create a passcode.

Session not shared: The system does not share the session or the passcode with other applications.

Username and password
Identify

Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).

Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system prompts for application login credentials.

Secure

Prompt: The system does not prompt for the login credentials if the session instance is live.

Session shared: The system shares the session instance across applications configured with Workspace ONE UEM SSO enabled.

Prompt: The system prompts for the login credentials for the application on every access attempt.

Session not shared: The system does not share the session with other applications.

Disabled
Identify Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system identifies credentials against a common authentication system (username and password, token, and SAML).

Silent login: The system registers credentials with the managed token for MDM.

If silent login fails, the system moves to the next identification process.

Authenticate: The system prompts for application login credentials.

Secure

Prompt: The system does not prompt users for authentication.

Prompt: The system does not prompt users for authentication.