Merge pull request #219432 from henrymbuguakiarie/msid-content-health-single-sign-on-macos-ios

v-ccolin · web-flow · commit 5914292587a8 · 2022-11-25T08:34:06.000Z
[msid][content-health] single sign on macos ios (ADO-2177156)
diff --git a/articles/active-directory/develop/single-sign-on-macos-ios.md b/articles/active-directory/develop/single-sign-on-macos-ios.md
@@ -1,5 +1,5 @@
 ---
-title: Configure SSO on macOS and iOS 
+title: Configure SSO on macOS and iOS
 description: Learn how to configure single sign on (SSO) on macOS and iOS.
 services: active-directory
 author: henrymbuguakiarie
@@ -9,35 +9,33 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 02/03/2020
+ms.date: 11/23/2022
 ms.author: henrymbugua
-ms.reviewer: 
-ms.custom: aaddev
+ms.reviewer:
+ms.custom: aaddev, engagement-fy23
 ---
 
 # Configure SSO on macOS and iOS
 
-The Microsoft Authentication Library (MSAL) for macOS and iOS supports Single Sign-on (SSO) between macOS/iOS apps and browsers. This article covers the following SSO scenarios:
+The Microsoft Authentication Library (MSAL) for macOS and iOS supports single sign-on (SSO) between macOS/iOS apps and browsers. This article covers the following SSO scenarios:
 
 - [Silent SSO between multiple apps](#silent-sso-between-apps)
 
-This type of SSO works between multiple apps distributed by the same Apple Developer. It provides silent SSO (that is, the user isn't prompted for credentials) by reading refresh tokens written by other apps from the keychain, and exchanging them for access tokens silently.  
+This type of SSO works between multiple apps distributed by the same Apple Developer. It provides silent SSO (that is, the user isn't prompted for credentials) by reading refresh tokens written by other apps from the keychain, and exchanging them for access tokens silently.
 
 - [SSO through Authentication broker](#sso-through-authentication-broker-on-ios)
 
-> [!IMPORTANT]
-> This flow is not available on macOS.
+The SSO through authentication broker isn't available on macOS.
 
-Microsoft provides apps, called brokers, that enable SSO between applications from different vendors as long as the mobile device is registered with Azure Active Directory (AAD). This type of SSO requires a broker application be installed on the user's device.
+Microsoft provides apps called brokers, that enable SSO between applications from different vendors as long as the mobile device is registered with Azure Active Directory (Azure AD). This type of SSO requires a broker application be installed on the user's device.
 
 - **SSO between MSAL and Safari**
 
 SSO is achieved through the [ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession?language=objc) class. It uses existing sign-in state from other apps and the Safari browser. It's not limited to apps distributed by the same Apple Developer, but it requires some user interaction.
 
 If you use the default web view in your app to sign in users, you'll get automatic SSO between MSAL-based applications and Safari. To learn more about the web views that MSAL supports, visit [Customize browsers and WebViews](customize-webviews.md).
 
-> [!IMPORTANT]
-> This type of SSO is currently not available on macOS. MSAL on macOS only supports WKWebView which doesn't have SSO support with Safari. 
+This type of SSO is currently not available on macOS. MSAL on macOS only supports WKWebView which doesn't have SSO support with Safari.
 
 - **Silent SSO between ADAL and MSAL macOS/iOS apps**
 
@@ -64,10 +62,9 @@ The way the Microsoft identity platform tells apps that use the same Application
 
 App1 Redirect URI: `msauth.com.contoso.mytestapp1://auth`  
 App2 Redirect URI: `msauth.com.contoso.mytestapp2://auth`  
-App3 Redirect URI: `msauth.com.contoso.mytestapp3://auth`  
+App3 Redirect URI: `msauth.com.contoso.mytestapp3://auth`
 
-> [!IMPORTANT]
-> The format of redirect URIs must be compatible with the format MSAL supports, which is documented in [MSAL Redirect URI format requirements](redirect-uris-ios.md#msal-redirect-uri-format-requirements).
+The format of redirect URIs must be compatible with the format MSAL supports, which is documented in [MSAL Redirect URI format requirements](redirect-uris-ios.md#msal-redirect-uri-format-requirements).
 
 ### Setup keychain sharing between applications
 
@@ -92,8 +89,9 @@ When you have the entitlements set up correctly, you'll see a `entitlements.plis
 #### Add a new keychain group
 
 Add a new keychain group to your project **Capabilities**. The keychain group should be:
-* `com.microsoft.adalcache` on iOS 
-* `com.microsoft.identity.universalstorage` on macOS.
+
+- `com.microsoft.adalcache` on iOS
+- `com.microsoft.identity.universalstorage` on macOS.
 
 ![keychain example](media/single-sign-on-macos-ios/keychain-example.png)
 
@@ -109,7 +107,7 @@ Objective-C:
 NSError *error = nil;
 MSALPublicClientApplicationConfig *configuration = [[MSALPublicClientApplicationConfig alloc] initWithClientId:@"<my-client-id>"];
 configuration.cacheConfig.keychainSharingGroup = @"my.keychain.group";
-    
+
 MSALPublicClientApplication *application = [[MSALPublicClientApplication alloc] initWithConfiguration:configuration error:&error];
 ```
 
@@ -136,48 +134,48 @@ That's it! The Microsoft identity SDK will now share credentials across all your
 
 ## SSO through Authentication broker on iOS
 
-MSAL provides support for brokered authentication with Microsoft Authenticator. Microsoft Authenticator provides SSO for AAD registered devices, and also helps your application follow Conditional Access policies.
+MSAL provides support for brokered authentication with Microsoft Authenticator. Microsoft Authenticator provides SSO for Azure AD registered devices, and also helps your application follow Conditional Access policies.
 
 The following steps are how you enable SSO using an authentication broker for your app:
 
 1. Register a broker compatible Redirect URI format for the application in your app's Info.plist. The broker compatible Redirect URI format is `msauth.<app.bundle.id>://auth`. Replace `<app.bundle.id>`` with your application's bundle ID. For example:
 
-    ```xml
-    <key>CFBundleURLSchemes</key>
-    <array>
-        <string>msauth.<app.bundle.id></string>
-    </array>
-    ```
+   ```xml
+   <key>CFBundleURLSchemes</key>
+   <array>
+       <string>msauth.<app.bundle.id></string>
+   </array>
+   ```
 
 1. Add following schemes to your app's Info.plist under `LSApplicationQueriesSchemes`:
 
-    ```xml
-    <key>LSApplicationQueriesSchemes</key>
-    <array>
-         <string>msauthv2</string>
-         <string>msauthv3</string>
-    </array>
-    ```
+   ```xml
+   <key>LSApplicationQueriesSchemes</key>
+   <array>
+        <string>msauthv2</string>
+        <string>msauthv3</string>
+   </array>
+   ```
 
 1. Add the following to your `AppDelegate.m` file to handle callbacks:
 
-    Objective-C:
-    
-    ```objc
-    - (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary<NSString *,id> *)options
-    {
-        return [MSALPublicClientApplication handleMSALResponse:url sourceApplication:options[UIApplicationOpenURLOptionsSourceApplicationKey]];
-    }
-    ```
-    
-    Swift:
-    
-    ```swift
-    func application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey : Any] = [:]) -> Bool {
-        return MSALPublicClientApplication.handleMSALResponse(url, sourceApplication: options[UIApplication.OpenURLOptionsKey.sourceApplication] as? String)
-    }
-    ```
-    
+   Objective-C:
+
+   ```objc
+   - (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary<NSString *,id> *)options
+   {
+       return [MSALPublicClientApplication handleMSALResponse:url sourceApplication:options[UIApplicationOpenURLOptionsSourceApplicationKey]];
+   }
+   ```
+
+   Swift:
+
+   ```swift
+   func application(_ app: UIApplication, open url: URL, options: [UIApplication.OpenURLOptionsKey : Any] = [:]) -> Bool {
+       return MSALPublicClientApplication.handleMSALResponse(url, sourceApplication: options[UIApplication.OpenURLOptionsKey.sourceApplication] as? String)
+   }
+   ```
+
 **If you are using Xcode 11**, you should place MSAL callback into the `SceneDelegate` file instead.
 If you support both UISceneDelegate and UIApplicationDelegate for compatibility with older iOS, MSAL callback would need to be placed into both files.
 
@@ -189,7 +187,7 @@ Objective-C:
      UIOpenURLContext *context = URLContexts.anyObject;
      NSURL *url = context.URL;
      NSString *sourceApplication = context.options.sourceApplication;
-     
+
      [MSALPublicClientApplication handleMSALResponse:url sourceApplication:sourceApplication];
  }
 ```
@@ -198,14 +196,14 @@ Swift:
 
 ```swift
 func scene(_ scene: UIScene, openURLContexts URLContexts: Set<UIOpenURLContext>) {
-        
+
         guard let urlContext = URLContexts.first else {
             return
         }
-        
+
         let url = urlContext.url
         let sourceApp = urlContext.options.sourceApplication
-        
+
         MSALPublicClientApplication.handleMSALResponse(url, sourceApplication: sourceApp)
     }
 ```
