Documentation Adobe Pass Adobe Pass Authentication

Single Sign-On Support

Last update: Mon Sep 18 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

Topics:
Authentication

NOTE

The content on this page is provided for information purposes only. Usage of this API requires a current license from Adobe. No unauthorized use is permitted.

Overview overview-sso-support

This document describes the types of Single Sign On supported and powered by Adobe Pass Authentication on different platforms. The scope of this document is to shed light into what’s supported and what’s not, what is the MVPD coverage for each SSO method and what is required from the Programmers to be able to benefit from SSO on each platform.

After a user logs in with their MVPD credentials, Adobe Pass Authentication generates a secure token that represents the MVPD’s Authentication session, and binds that token to the user’s device using a Device ID. Adobe Pass Authentication stores the token / Device ID either on a server or on the device. This allows users to enter their credentials less frequently while keeping transactions secure.

NOTE

SSO workflows are part of the Premium Workflow package. Please contact your Adobe Pass sales rep if interested in using this functionality.

Current status for SSO on various platforms current-sso-status-platforms

Platform / Device

SSO support

SSO type

MVPD coverage

Notes

Web (JavaScript)

Yes

Shared authentication token (Adobe SSO)

All

No cross-browser SSO Please follow the instructions in the Programmer Integration Guide for JavaScript. Upon following the instructions, SSO is enabled by default. Enabling Authentication per Requestor breaks SSO

iOS

Yes

Platform SSO - token exchange

Depending on Apple support - the list is here

From iOS 10, Apple & Adobe introduced SSO functionality for participating Programmers and MVPDs. By using the latest Adobe iOS SDK or by using Adobe’s Clientless REST API and implementing the Apple SSO functionality you can benefit from SSO on iOS devices. More details on SDK implementation here and more details on Clientless implementation here. Extra notes: - If you don’t want to use Apple SSO you can still have a limited SSO between apps of the same vendor (same bundle ID) that can share storage and an ID (IDFV) - so SSO is limited only to the apps of the same vendor.

Android

Yes

Shared authentication token (Adobe SSO)

All

If the user does not accept the WRITE_EXTERNAL_STORAGE permission request, the library will use a local sandboxed storage. The implication in this case is that there will be no SSO between different applications when using the local storage.

tvOS - new Apple TV

Yes

Platform SSO - token exchange

Depending on Apple support - the list is here

From tvOS 10, Apple & Adobe introduced SSO functionality for participating Programmers and MVPDs. By using the latest Adobe tvOS SDK or by using Adobe’s Clientless REST API and implementing the Apple SSO functionality you can benefit from SSO on tvOS devices. More details on tvOS SDK: here and here and more details on Clientless implementation here.

Roku

Yes

Shared authentication token (Adobe SSO)

Significant coverage full list to be provided soon.

Roku SSO works out of the box with the Clientless API for all customers respecting Roku guidelines, no special implementation required. SSO is based on device identification information that Roku is securely sending to Adobe.

Amazon FireTV

Yes

Shared authentication token (Adobe SSO)

Significant coverage full list to be provided soon.

FireTV SDK provides support for Single Sign On based on Android capabilities. The SSO on this platform is possible only between apps that are using Adobe FireTV SDK for now. More info about the new FireTV SDK here. FireTV apps implemented on top of Clientless API will be able to benefit from SSO by EOY 2018.

Xbox 360

There is no Device ID we can leverage. There is an App ID, so users don’t have to authenticate every time.

Xbox One

There is no Device ID we can leverage. There is an App ID, so users don’t have to authenticate every time.

Windows 8/10

There is no Device ID we can leverage. There is an App ID, so users don’t have to authenticate every time.

Samsung TVs

There is no Device ID we can leverage. There is an App ID, so users don’t have to authenticate every time.

Notes on Xbox 360 and Xbox One notes-xbox-360

Xbox 360- Xbox 360 relies on the Live Service to provide the token that embeds the deviceID. The Live Service layers in the appID value for deviceID, making it scoped only to the app. For Xbox 360, Microsoft provided Adobe a Java library to help with parsing the token.
Xbox One- A JSON web token will be issued that is encrypted with the publisher’s cert/key and signed by Microsoft. Adobe extracts the deviceID from a parameter called DPI (Device Pairwise ID), different from the Xbox 360 parameter PDID (Partner Device ID). PDID exists also in Xbox One but is meant to be replaced by this new parameter “Device Pairwise ID” (DPI).

Disabling SSO disable-sso

In certain situations some apps or sites will want to disable SSO to satisfy advanced business cases.

For JS and native SDKs - The Adobe Pass Authentication support team can disable SSO for a Requestor ID / MVPD pair. No work is needed on sites or in native apps. Once SSO is disabled by the Adobe Pass Authentication support team, authentications performed using the specified RequestorId / MVPD pair will not be shared with sites or apps using different Requestor IDs. In addition, existing authentications with different Requestor IDs will not be valid for the Requestor ID / MVPD combination in which SSO was disabled. Technically, SSO disabling is accomplished by binding the AuthN token to the specific Requestor ID / MVPD combination.
For Clientless API - You can disable SSO in the Clientless authentication flow by specifying a non-empty appId parameter in the REST calls. You can use any string as the value, as long as that string is unique for the Requestor ID. Note that for the Clientless API, the programmer / impementor must change the site or app to add this requestor-specific parameter.

IMPORTANT

IMPORTANT NOTE FOR CLIENTLESS API SSO: Some MVPDs require that each network (requestor ID) performs its own authentication flow. For the SDK based flows (iOS etc), this is handled automatically by the SDK. However, for the Clientless APIs this needs to be handled by the Programmer. We strongly advise Programmers not to enable SSO flows for Clientless APIs at this point and instead use a device ID + app ID combination for device ID. Adobe will also work on improving the Clientless API flows so that proper SSO can be established.

Logout logout-sso-support

Programmers need to be aware that the “Logout” action in the context of Single Sign-On, when performed in one app/on one site, will delete all tokens on the device and the user will be logged out across apps/sites.

If SSO conditions are met (whether or not SSO is enabled or disabled), Logout will be performed and it will delete all authentication and authorization information.

recommendation-more-help

3f5e655c-af63-48cc-9769-2b6803cc5f4b