Seamless SSO with ZApp on iOS and Azure AD as IdP


We are currently doing a Proof-of-Value with ZPA and ZIA, focusing on iOS devices for now.
We use our Azure AD as the IdP. Manual sign-on works in ZApp.
Our devices are enrolled to Intune. For O365 apps (Outlook, OneDrive, …) we use the Microsoft Authenticator app to provide cross-app SSO (sign-in once, access all O365 apps without additional login).

Our expectation is that the ZApp also connects to the Authenticator app and use the same, existing, valid token. This is not happening. User has to open ZApp and authenticate to Azure AD once more.

Any ideas?

I think Zapp would need to include ADAL/MSAL libraries to support “broker-assisted single sign-on”.
(Android / iOS docs)
Or is there anything we can do with mobile app config?
We had a lead with the Apple Kerberos SSO extension. But our devices are internet only (never on corporate network), so they don’t have line-of-sight to the Domain Controller / KDC. So that won’t work.

Kind regards,

Hi Thomas!

As you know, we’ve already followed up over email for this. But I’ll add the comment here for anyone that finds this post.

We are currently working on implementing an integration with the InTune SDK which would allow for this type of SSO. As Thomas also mentioned above, for iOS devices you can use Apple’s built in SSO function from your MDM, but this does require connectivity for Kerberos.

I’ll update this post when this feature is implemented.