MicrosoftDocs
diff --git a/‎articles/active-directory/develop/media/single-sign-on-macos-ios/keychain-example.png
54.6 KB b/‎articles/active-directory/develop/media/single-sign-on-macos-ios/keychain-example.png
54.6 KB
diff --git a/‎articles/active-directory/develop/single-sign-on-macos-ios.md
Lines changed: 22 additions & 12 deletions b/‎articles/active-directory/develop/single-sign-on-macos-ios.md
Lines changed: 22 additions & 12 deletions
@@ -14,7 +14,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 08/28/2019
+ms.date: 02/03/2020
 ms.author: twhitney
 ms.reviewer: 
 ms.custom: aaddev
@@ -67,9 +67,9 @@ For the Microsoft identity platform to know which applications can share tokens,
 
 The way the Microsoft identity platform tells apps that use the same Application ID apart is by their **Redirect URIs**. Each application can have multiple Redirect URIs registered in the onboarding portal. Each app in your suite will have a different redirect URI. For example:
 
-App1 Redirect URI: `msauth.com.contoso.mytestapp1://auth`
-App2 Redirect URI: `msauth.com.contoso.mytestapp2://auth`
-App3 Redirect URI: `msauth.com.contoso.mytestapp3://auth`
+App1 Redirect URI: `msauth.com.contoso.mytestapp1://auth`  
+App2 Redirect URI: `msauth.com.contoso.mytestapp2://auth`  
+App3 Redirect URI: `msauth.com.contoso.mytestapp3://auth`  
 
 > [!IMPORTANT]
 > The format of redirect uris must be compatible with the format MSAL supports, which is documented in [MSAL Redirect URI format requirements](redirect-uris-ios.md#msal-redirect-uri-format-requirements).
@@ -94,6 +94,18 @@ When you have the entitlements set up correctly, you'll see a `entitlements.plis
 </plist>
 ```
 
+#### Add a new keychain group
+
+Add a new keychain group to your project **Capabilities**. The keychain group should be:
+* `com.microsoft.adalcache` on iOS 
+* `com.microsoft.identity.universalstorage` on macOS.
+
+![keychain example](media/single-sign-on-macos-ios/keychain-example.png)
+
+For more information, see [keychain groups](howto-v2-keychain-objc.md).
+
+## Configure the application object
+
 Once you have the keychain entitlement enabled in each of your applications, and you're ready to use SSO, configure `MSALPublicClientApplication` with your keychain access group as in the following example:
 
 Objective-C:
@@ -111,17 +123,15 @@ Swift:
 ```swift
 let config = MSALPublicClientApplicationConfig(clientId: "<my-client-id>")
 config.cacheConfig.keychainSharingGroup = "my.keychain.group"
-        
+
 do {
-	let application = try MSALPublicClientApplication(configuration: config)
-  // continue on with application          
+   let application = try MSALPublicClientApplication(configuration: config)
+  // continue on with application
 } catch let error as NSError {
   // handle error here
-}       
+}
 ```
 
-
-
 > [!WARNING]
 > When you share a keychain across your applications, any application can delete users or even all of the tokens across your application.
 > This is particularly impactful if you have applications that rely on tokens to do background work.
@@ -204,7 +214,7 @@ func scene(_ scene: UIScene, openURLContexts URLContexts: Set<UIOpenURLContext>)
         MSALPublicClientApplication.handleMSALResponse(url, sourceApplication: sourceApp)
     }
 ```
-    
+
 ## Next steps
 
-Learn more about [Authentication flows and application scenarios](authentication-flows-app-scenarios.md)
+Learn more about [Authentication flows and application scenarios](authentication-flows-app-scenarios.md)