After Apples education focused event last month, Apple let slip a feature that hasn’t yet launched “One Simplified Login Experience”.
While this is a great for user and group provisioning into Apple School Manger (ASM) and soon to be Apple Business Manger (BSM), it does introduce a new hurdle that isn’t unique to Apple.
Cloud Identity providers like Microsoft AzureAD and Google G Suite do not keep a users password clear/accessible they are hashed. A hash value is a result of a one-way mathematical function (the hashing algorithm). There is no method to revert the result of a one-way function to the plain text version of a password.
Hence it cant not be sync’d to another Identity provider, as each provider has its own hash. This leaves Apple with two options:
- Provisioning only – users and groups are sync’d/provisioned from Microsoft AzureAD or Google G Suite but passwords are set within ASM and BSM.
- Provisioning + SAML – users and groups are sync’d/provisioned from Microsoft AzureAD or Google G Suite. When a user logins in they are bounced to AzureAD or Google G Suite URL to enter a their password, when the correct password is entered they are bounced back to the Apple service to complete the login process.
While both are a great options and a step in the right direction, it does introduce two new problems; Seperate passwords for your Managed AppleID and other cloud platform(s) or unusual design continuity in the login process.
Anyway I guess we will see more of this and hopefully other changes to ASM and BSM at WWDC 2018.
AzureAD password hash - https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-hash-synchronization