Apple School Manger – User Provisioning from AzureAD and Google G Suite

After Apples  education focused event last month, Apple let slip a feature that hasn’t yet launched “One Simplified Login Experience”.

While this is a great for user and group provisioning into Apple School Manger  (ASM) and soon to be Apple Business Manger (BSM), it does introduce a new hurdle that isn’t unique to Apple.

Cloud Identity providers like Microsoft AzureAD and Google G Suite do not keep a users password clear/accessible they are hashed. A hash value is a result of a one-way mathematical function (the hashing algorithm). There is no method to revert the result of a one-way function to the plain text version of a password.

Hence it cant not be sync’d to another Identity provider, as each provider has its own hash. This leaves Apple with two options:

  1. Provisioning only – users and groups are sync’d/provisioned from Microsoft AzureAD or Google G Suite but passwords are set within ASM and BSM.
  2. Provisioning + SAML – users and groups are sync’d/provisioned from Microsoft AzureAD or Google G Suite. When a user logins in they are bounced to AzureAD or Google G Suite URL to enter a their password, when the correct password is entered  they are bounced back to the Apple service to complete the login process.

While both are a great options and a step in the right direction, it does introduce two new problems; Seperate passwords for your Managed AppleID and other cloud platform(s) or unusual design continuity in the login process.

   

Anyway I guess we will see more of this and hopefully other changes to ASM and BSM at WWDC 2018.

Links

AzureAD password hash - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-hash-synchronization

Leave a comment