Apple SSO Overview apple-sso-overview
Introduction Introduction
Apple provides an API which allows people to sign in to their TV provider account at the device system level, eliminating the need to authenticate on an app-by-app basis.
Hence, Apple and Adobe Pass Authentication partnered to create the platform Single Sign-On (SSO) user experience in the TV Everywhere ecosystem for iPhone, iPad and Apple TV owners.
In order to benefit from the Single Sign-On (SSO) user experience on an Apple device, there is a list of prerequisites which must be completed.
Prerequisites Prerequisites
Prerequisite may apply to one or multiple entities involved in the TVE business, such as Programmers, MVPDs, Adobe Pass Authentication or Apple.
Programmer Programmer
In order to benefit from the Single Sign-On (SSO) user experience, one Programmer must:
-
Use at least Xcode version 8 and iOS/tvOS version 10.
-
Have the Video Subscriber Single Sign-On Entitlement configured to their Apple Developer Account. Please contact Apple to enable Video Subscriber Account framework for your Apple Team ID.
-
Enable Single Sign-On (YES) for each desired integration (Channel x MVPD) and desired platform (iOS / tvOS) through the Adobe Primetime TVE Dashboard.
-
Integrate the Apple SSO workflows using one of the following two solutions offered by Adobe Pass Authentication team:
-
The Adobe Pass Authentication REST API can support platform Single Sign-On (SSO) authentication for end users of client applications running on iOS, iPadOS or tvOS. Please see also Apple SSO Cookbook (REST API).
-
The Adobe Pass Authentication AccessEnabler iOS/tvOS SDK can support platform Single Sign-On (SSO) authentication for end users of client applications running on iOS, iPadOS or tvOS. Please see also Apple SSO Cookbook (iOS/tvOS SDK).
-
Pro Tip: In order to have access to the user’s subscription information, the user must give the application permission to proceed, similar to providing access to the device’s camera or microphone. This permission must be requested per application and the device will save the user’s selection. Please bear in mind that the user can change its decision by going to the application settings (TV Provider permission access) or to the section from
Settings -> TV Provider
on iOS/iPadOS orSettings -> Accounts -> TV Provider
on tvOS. -
Pro Tip: We recommend requesting the user’s permission when the application enters the foreground state, but it is only a suggestion, because the application can check for permission to access the user’s subscription information at any point before requiring user authentication. Also, the AccessEnabler iOS/tvOS SDK APIs will automatically request the user’s permission when needing it.
-
Pro Tip: We recommend incentivizing users who refuse to give permission to access subscription information by explaining the benefits of the Single Sign-On (SSO) user experience. Please bear in mind that the user can change its decision by going to the application settings (TV Provider permission access) or to the section from
Settings -> TV Provider
on iOS/iPadOS orSettings -> Accounts -> TV Provider
on tvOS.
-
The result should create an experience in line with the following user flows, which we suggest you consult before you start developing your application/s:
- iPhone / iPad user flows
- Apple TV user flows
MVPD MVPD
In order to benefit from the Single Sign-On (SSO) user experience, one
MVPD must:
- Be onboarded into the Apple SSO workflow on Apple’s side. Please contact Apple to facilitate the onboarding process.
- Provide a JavaScript TVML application capable of handling the user login form. Please contact Apple to receive proper documentation.
- Provide a string value representing the provider identifier assigned by Apple during the onboarding process. Please contact Adobe Pass Authentication to perform configuration changes.
FAQ FAQ
-
In case something goes wrong with the Apple SSO workflow, can the application using the AccessEnabler iOS/tvOS SDK have the ability to fallback to regular authentication flow?
- This is possible but requires a configuration change being performed on the Adobe Primetime TVE Dashboard. The Enable Single Sign-On must be set on NO for the desired integration (Channel x MVPD) and desired platform (iOS/tvOS).
- The application would acknowledge the configuration change only after calling setRequestor API in case it is using the AccessEnabler iOS/tvOS SDK.
-
Will the application know when an authentication has happened as a result of a sign-in through the platform SSO on another device or another application?
- This information will not be available.
-
Will the application know when an authentication has happened as a result of a sign-in through the platform SSO on the same device?
- This information is available as part of the user metadata key: tokenSource, which should return the string value: “Apple” in this case.
-
What happens if a user signs-in by going to the
Settings -> TV Provider
on iOS/iPadOS orSettings -> Accounts -> TV Provider
on tvOS section using an MVPD which is not integrated with the application?- When the user launches the application, the user won’t be authenticated via the Apple SSO workflow. Therefore, the application would have to fallback to regular authentication flow and present its own MVPD picker.
-
What happens if a user signs-in by going to the
Settings -> TV Provider
on iOS/iPadOS orSettings -> Accounts -> TV Provider
on tvOS section using an MVPD which has the Enable Single Sign-On set on NO on the Adobe Primetime TVE Dashboard for iOS/tvOS platform?- When the user launches the application, the user won’t be authenticated via the Apple SSO workflow. Therefore, the application would have to fallback to regular authentication flow and present its own MVPD picker.
-
What happens if a user has an MVPD which is not onboarded (not supported) by Apple, but it is present in the Apple picker?
- When the user launches the application, the user will only select the MVPD via the Apple SSO workflow without completing the authentication flow. Therefore, the application would have to fallback to regular authentication flow, but could use the already selected MVPD.
-
What happens if a user has an MVPD which is not onboarded (not supported) by Apple?
- When the user launches the application, the user will select the “Other TV Providers” picker option via the Apple SSO workflow. Therefore, the application would have to fallback to regular authentication flow and present its own MVPD picker.
-
What happens if a user has an MVPD which is degraded through the medium of Adobe Primetime TVE Dashboard?
- When the user launches the application, the user will be authenticated via the degradation mechanism and not via the Apple SSO workflow.
- The experience should be seamless for the user, while the application will be informed through the N010 warning code in case it is using the AccessEnabler iOS/tvOS SDK.
-
Will the MVPD user ID change between Apple SSO and non-Apple SSO authentication flow?
- The expectation is that the user ID will not change, but it needs to be verified for each selected provider.
-
Will there be any change to the authentication TTLs?
- Adobe Pass Authentication will continue to respect the TTLs required by the Programmers for their integration with each MVPD.
- When navigating from one Programmer application to another Programmer application through Apple SSO, the second application will have the TTL of its corresponding Programmer x MVPD integration (it won’t share the TTL of the first application that authenticates)