Apple SSO Overview apple-sso-overview
Apple provides users the capability to sign in to their TV provider account at the device system level, eliminating the need to authenticate on an app-by-app basis.
Adobe Pass Authentication partnered with Apple to create the Partner Single Sign-On (SSO) user experience in the TV Everywhere ecosystem for iPhone, iPad and Apple TV owners.
In order to benefit from the Single Sign-On (SSO) user experience on an Apple device, there is a list of prerequisites documented below that must be completed.
The end result should create an experience in line with the following user flows, that we recommend you consult before you start developing your application:
- Single Sign-On (SSO) user flows for iPhone and iPad devices.
- Single Sign-On (SSO) user flows for Apple TV devices.
Prerequisites apple-sso-prerequisites
Onboarding prerequisites may apply to one or multiple entities involved in the TVE business, such as Programmers, MVPDs, Adobe Pass Authentication or Apple.
Programmer apple-sso-prerequisites-programmer
In order to benefit from the Single Sign-On (SSO) user experience, one Programmer must:
-
Contact Apple to enable the Video Subscriber Account Framework as part of your Apple Team ID and configure the Video Subscriber Single Sign-On Entitlement as part of your Apple Developer Account.
- Use Xcode version 8 or above and iOS/tvOS version 10 or above.
-
Enable Single Sign-On (SSO) for each desired integration and platform (iOS/tvOS) through the Adobe Pass TVE Dashboard by setting the
Enable Single Sign On
property toYes
.
-
Integrate the Single Sign-On (SSO) user flows using one of the following solutions offered by Adobe Pass Authentication for end users of client applications running on iOS, iPadOS or tvOS.
-
The Adobe Pass Authentication REST API V2 has support for Partner Single Sign-On (SSO).
Refer to the Apple SSO Cookbook (REST API V2) documentation.
-
The legacy Adobe Pass Authentication REST API V1 has support for Partner Single Sign-On (SSO).
Refer to the (Legacy) Apple SSO Cookbook (REST API V1) documentation.
-
The legacy Adobe Pass Authentication AccessEnabler iOS/tvOS SDK has support for Partner Single Sign-On (SSO).
Refer to the (Legacy) Apple SSO Cookbook (iOS/tvOS SDK) documentation.
-
MVPD apple-sso-prerequisites-mvpd
In order to benefit from the Single Sign-On (SSO) user experience, one MVPD must:
-
Contact Apple to initiate the onboarding process on Apple’s side.
- Request the technical documentation on how to integrate and develop a JavaScript TVML application capable of handling the user login form.
-
Contact Adobe Pass Authentication to initiate the onboarding process on Adobe’s side.
- Provide the string value representing the TV provider identifier assigned by Apple during the onboarding process.
FAQ FAQ
-
In case something goes wrong with the Apple SSO workflow, can the application using the Adobe Pass Authentication AccessEnabler iOS/tvOS SDK have the ability to fall back to the regular authentication flow?
This is possible but requires a configuration change being performed through the Adobe Pass TVE Dashboard to set the Enable Single Sign-On on NO for the desired integration and platform (iOS/tvOS). Be aware that the client application will acknowledge the configuration change only after calling the setRequestor API.
-
Will the application know when an authentication has happened as a result of a sign in through Apple SSO?
This information is available as part of the user metadata key: tokenSource, which should return the string value: “Apple” in this case.
-
Will the application know when an authentication has happened as a result of a sign in through Apple SSO on another application?
This information is not available.
-
What happens if a user signs in by going to the
Settings -> TV Provider
on iOS/iPadOS orSettings -> Accounts -> TV Provider
on tvOS section using an MVPD which is not integrated with the application?When the user launches the application, the user won’t be authenticated via the Apple SSO workflow. Therefore, the application would have to fall back to regular authentication flow and present its own MVPD picker.
-
What happens if a user signs in by going to the
Settings -> TV Provider
on iOS/iPadOS orSettings -> Accounts -> TV Provider
on tvOS section using an MVPD which has the Enable Single Sign On set on NO through the Adobe Pass TVE Dashboard for iOS/tvOS platform?When the user launches the application, the user won’t be authenticated via the Apple SSO workflow. Therefore, the application would have to fall back to regular authentication flow and present its own MVPD picker.
-
What happens if a user has an MVPD which is not onboarded (not supported) by Apple, but it is present in the Apple picker?
When the user launches the application, the user will only select the MVPD via the Apple SSO workflow without completing the authentication flow. Therefore, the application would have to fall back to regular authentication flow, but could use the already selected MVPD.
-
What happens if a user has an MVPD which is not onboarded (not supported) by Apple?
When the user launches the application, the user will select the “Other TV Providers” picker option via the Apple SSO workflow. Therefore, the application would have to fall back to regular authentication flow and present its own MVPD picker.
-
What happens if a user has an MVPD which is degraded through the medium of Adobe Pass TVE Dashboard?
When the user launches the application, the user will be authenticated via the degradation mechanism and not via the Apple SSO workflow. The experience should be seamless for the user, while the application will be informed through the N010 warning code in case it is using the Adobe Pass Authentication AccessEnabler iOS/tvOS SDK.
-
Will the MVPD user ID change between Apple SSO and non-Apple SSO authentication flows?
The expectation is that the user ID will not change, but it needs to be verified for each selected provider.
-
Will there be any change to the authentication TTLs?
Adobe Pass Authentication will continue to respect the TTLs required by the Programmers for their integration with each MVPD. When navigating from one Programmer application to another Programmer application through Apple SSO, the second application will have the TTL of its corresponding Programmer x MVPD integration (it won’t share the TTL of the first application that authenticates)