After Apples education-focused event last month, Apple let slip a feature that hasn’t yet launched, “One Simplified Login Experience”.
Cloud Identity providers like Microsoft AzureAD and Google G Suite do not keep a users password clear/accessible they are hashed. A hash value is a result of a one-way mathematical function (the hashing algorithm). There is no method to revert the result of a one-way function to the plain text version of a password.
Hence it cant not be sync’d to another Identity provider, as each provider has its own hash. This leaves Apple with two options:
- Provisioning only – users and groups are sync’d/provisioned from Microsoft AzureAD or Google G Suite but passwords are set within ASM and BSM.
- Provisioning + SAML – users and groups are sync’d/provisioned from Microsoft AzureAD or Google G Suite. When a user logins in they are bounced to AzureAD or Google G Suite URL to enter a their password, when the correct password is entered they are bounced back to the Apple service to complete the login process.
While both are a great options and a step in the right direction, it does introduce two new problems;
Seperate passwords for your Managed AppleID and other cloud platform(s) or potential unusual design continuity in the login process.
Anyway I guess we will see more of this and hopefully other changes to ASM and BSM at WWDC 2018.