VMware Workspace ONE Community
AntonThirifays
Enthusiast
Enthusiast
‎11-26-2020 08:56 AM

Managed Apple IDs with AAD Federation, itself federated with 3rd party IDP using CBA only

Hello,

Currently working on a project on macOS and iOS which are making us think to use managed apple IDs instead of standard Apple IDs for many reasons.

Thing is we're not sure our idea is feasible because of our AAD <> 3rd party IDP Federation. Certificate Based authentication is the only way to authenticate our 3rd party IDP and hence on AAD.

To make sure users connect only from managed devices, we've totally removed the possibility to log in AAD through username / password and instead leverage the machine certificate present on our devices for authentication. 

With this said, the flow for an automated managed Apple ID creation / login would go like this :

1/ User receives their iPhone / Mac and starts enrolment

2/ At the Managed Apple ID creation phase, they are redirected on AAD for authentication

3/ AAD in turn redirects user to our 3rd Party IDP which will then check the validity of the certificate present on the device before issuing an accept / deny SAML response.

My question on this would then be :

Do macOS and iOS devices have the possibility to use the certificate present in the key store of the device and bring it to the service to authenticate for Apple ID purposes ?

Did any of you successfully implemented such a method in their environments ?

Thanks,

Anton

Labels (1)
Labels
Reply
0 Kudos
1 Reply
rterakedis
VMware Employee
VMware Employee
‎01-11-2021 10:38 PM

@AntonThirifays - If i'm reading this correctly, I think you need to rethink how this is happening.


iOS/macOS only uses "managed apple ID's" for the special "User Enrollment" type of enrollment.   The whole point of user enrollment is to separate the keychain and APFS managed by UEM from the keychain/APFS containing the user's personal data.   You're basically asking if you can take the enterprise/work certificate and auth to User Enrollment.   In order for that to happen, the certificate would have to be outside the UEM-managed keychain, because until you authenticate with the managed apple ID, the work keychain/filesystem doesn't exist.

Does that make sense?

Reply