Thanks for being a part of WWDC25!

How did we do? We’d love to know your thoughts on this year’s conference. Take the survey here

Mobile apps and consent dialogue when logging in

Privacy & Security General
gskoog
gskoog OP
Created Mar ’25
Replies 2
Boosts 0
Views 427
Participants 2

We are using ASWebAuthenticationSession with apps on IoS to achieve SSO between apps. The IdP for authentication (OIDC) is an on-premise and trusted enterprise IdP based on one of the leading products in the market. Our problem is that the user is prompted for every login (and logouts) with a consent dialogue box:

“AppName” wants to use “internal domain-name” to Sign In

This allows the app and website to share information about you.

Cancel Continue”

I have read in various places that Apple has a concept of “Trusted domains” where you can put an “Apple certified” static web-page on the IdP. This page needs to contain specific metadata that iOS can verify. Once a user logs in successfully a few times, and if the IdP is verified as trusted, subsequent logins would not prompt the consent screen.

Question: I struggle to find Apple documentation on how to go about a process that ends with this “Apple certified web-page” on our IdP”. Anyone who has experience with this process, or who can point me in some direction to find related documentation?

Replies  2
Boosts  0
Views  427
Participants  2
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
May ’25

I think a few different concepts are getting mixed up here.

There's the concept of Associated Domains, where you can form a two-way association between an app and a website. Setting this up when you control both the app and the website lets the system provide some additional security-sensitive features, like improved password AutoFill and passkey support.

ASWebAuthenticationSession itself currently doesn't check anything with Associated Domains. It is mainly built for signing in to third party services, where the app and the website are owned by separate entities. The consent prompt for ASWebAuthenticationSession is because it allows the app to share data with Safari, which is something apps can't normally do without user consent. The only way to avoid the prompt is to set prefersEphemeralWebBrowserSession = true, though that also means no state can be shared.

There are two potential other options worth exploring:

  1. If you own all the apps that you want to share state, you could use App Groups to share data locally between them. That would let the user sign in to one app, and have their sign in state securely shared with all of the others.

  2. If all devices you care about are managed, you could consider an AppSSO plugin. The plugin itself could save the sign in state, which could let apps share sign-in state for your IdP even if you use prefersEphemeralWebBrowserSession = true for ASWebAuthenticationSession.

0
gskoog
gskoog OP
May ’25

Thank you very much for your reply! Since I am not a specialist in the Apple domain I have struggled to understand our options to be able to provide SSO between the apps. From your reply It looks Associated domains will not achieve our goal so we will look into the two options you have provided.

One question though that has bothered us, and something you might be able to clarify for us: When setting up the “Associated domains capability” there is specific service called "authsrv" that can be specified which implies a pointer to an authentication service in the domain. What is the purpose then of being able to define this service as an “Associated domains capability”?

0
Mobile apps and consent dialogue when logging in
First post date Last post date
 
 
Q