You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/active-directory-certificate-based-authentication-ios.md
+13-9Lines changed: 13 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,27 +44,31 @@ This article details the requirements and the supported scenarios for configurin
44
44
45
45
To use CBA with iOS, the following requirements and considerations apply:
46
46
47
-
* The device OS version must be iOS 9 and above.
47
+
* The device OS version must be iOS 9 or above.
48
48
* Microsoft Authenticator is required for Office applications on iOS.
49
-
* An identity preference is created in the macOS keychain and includes the authentication URL of the ADFS server. For more information, see [Create an identity preference in Keychain Access on Mac](https://support.apple.com/guide/keychain-access/create-an-identity-preference-kyca6343b6c9/mac).
49
+
* An identity preference must be created in the macOS Keychain that include the authentication URL of the ADFS server. For more information, see [Create an identity preference in Keychain Access on Mac](https://support.apple.com/guide/keychain-access/create-an-identity-preference-kyca6343b6c9/mac).
50
50
51
51
The following Active Directory Federation Services (ADFS) requirements and considerations apply:
52
52
53
-
* ADFS server must be enabled for certificate authentication and use federated authentication.
54
-
* The certificate needs to have a *Client Authentication* E.K.U and contains the UPN of the user in the *Subject Alternative Name (NT Principal Name)*.
53
+
* The ADFS server must be enabled for certificate authentication and use federated authentication.
54
+
* The certificate needs to have to use Enhanced Key Usage (EKU) and contain the UPN of the user in the *Subject Alternative Name (NT Principal Name)*.
55
+
56
+
## Configure ADFS
55
57
56
58
For Azure AD to revoke a client certificate, the ADFS token must have the following claims. Azure AD adds these claims to the refresh token if they're available in the ADFS token (or any other SAML token). When the refresh token needs to be validated, this information is used to check the revocation:
57
59
58
-
*`http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>` - add the serial number of the client certificate
59
-
*`http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>` - add the string for the issuer of the client certificate
60
+
*`http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>` - add the serial number of your client certificate
61
+
*`http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>` - add the string for the issuer of your client certificate
60
62
61
-
As a best practice, you should update your organization's ADFS error pages with the following information:
63
+
As a best practice, you also should update your organization's ADFS error pages with the following information:
62
64
63
65
* The requirement for installing the Microsoft Authenticator on iOS.
64
66
* Instructions on how to get a user certificate.
65
67
66
68
For more information, see [Customizing the AD FS sign in page](https://technet.microsoft.com/library/dn280950.aspx).
67
69
70
+
## Use modern authentication with Office apps
71
+
68
72
Some Office apps with modern authentication enabled send `prompt=login` to Azure AD in their request. By default, Azure AD translates `prompt=login` in the request to ADFS as `wauth=usernamepassworduri` (asks ADFS to do U/P Auth) and `wfresh=0` (asks ADFS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, modify the default Azure AD behavior.
69
73
70
74
To update the default behavior, set the '*PromptLoginBehavior*' in your federated domain settings to *Disabled*. You can use the [MSOLDomainFederationSettings](/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0) cmdlet to perform this task, as shown in the following example:
@@ -73,9 +77,9 @@ To update the default behavior, set the '*PromptLoginBehavior*' in your federate
On iOS 9 or later, the native iOS mail client is supported. For all other Exchange ActiveSync applications, to determine if this feature is supported, contact your application developer.
82
+
On iOS 9 or later, the native iOS mail client is supported. To determine if this feature is supported for all other Exchange ActiveSync applications, contact your application developer.
0 commit comments