Call us at 507.319.5206 or This email address is being protected from spambots. You need JavaScript enabled to view it.
Follow us on LinkedIn and Twitter

How to Configure Apple iPad for SSO

Recently a customer told me that some of their users access the IBM i internally with iPads through the Safari browser talking to the Apache Web server.  Even though the Web server application is configured to accept Kerberos, the iPad users were still being prompted for their IBM i userID and password. The customer asked if I could help them enable SSO on the users’ iPads.

The answer was YES! iPads can support SSO, and it’s not difficult to configure.

Before describing how, let’s first discuss why iPads require further configuration to support single sign-on.

The Source of the Problem

SSO in a Windows domain environment is based on the Kerberos authentication protocol.

When a user at a workstation logs into the Windows domain, they are really requesting a Kerberos Ticket-Granting-Ticket (TGT).

Kerberized applications (i.e., applications that can use Kerberos authentication) use a different kind of Kerberos ticket — a service ticket (ST) — to authenticate the user to a remote system interface.  At the time the application connects to the remote system, it requests an ST for the current user to the specific Kerberos service on the remote system. ST requests must be accompanied by the user’s TGT that was received as part of the initial Windows domain logon.

Therein lies the problem.  The person using the iPad has not authenticated to the Windows domain. So, there is no TGT for which a Kerberos ST can be requested. If the Web application is configured to accept only Kerberos, there is no way to connect to that particular URL from the iPad.

If the Web application is configured to accept Kerberos or Passwords, the iPad user will be prompted to enter their IBM i user profile password. Either way, this is an issue if you want to eliminate the need for iPad users to enter their IBM i user profile password.

The Solution

If your organization has a Mobile Device Management (MDM) solution, then you should be able to use it to configure Safari on iPads to use SSO.

But what do you do if you don’t have an expensive MDM?

The solution is surprisingly simple:

  1. Construct a “mobileconfig” XML file and name it with a “.mobileconfig” extension.
    This is called a mobile device profile.
  2. Email it to a userID that can receive the email on the iPad.
  3. Open the email, select the attached “.mobileconfig” file.
  4. Accept the security checks.

You can find a template mobileconfig file here.  There are a couple of places in the XML file, delimited by ’{‘ and ‘}’,  which you will need to change to your company-specific information (e.g., company name, Kerberos realm / Windows domain name, URL hostname).  You also need to fill in two Globally Unique Identifiers (GUIDs)Here’s a web site that will generate these for you.

When you open the attachment on the device, you’ll get a couple of security warnings.  Accept these.  While installing the profile, the user will be prompted to enter a “principal name” for the specified realm / domain.  This should be the user’s Windows userID.

Now when the user points Safari at any Kerberos-enabled URL on the specified IBM i(s) for the first time, they will be prompted for their Windows domain userID and password. After the first time, and until the TGT timeout – roughly three-and-a-half days – they will no longer be prompted for their Windows userID.

Kerberizing an internal Apache Web server application that currently uses the Web server to authenticate users is merely a matter of changing the Apache configuration for the application. If your application currently implements form authentication, some changes will be required to provide a version of the application that bypasses form authentication.

So, if you’re looking to enable SSO for iPads in your network, give this a try. It is simple and easy to do on your own. Of course, existing SSO stat! customers can just give us a call and we’ll get you up and running, stat!


This entry was posted in Password Management, Single Sign-On (SSO) and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>