Perspective iOS app always launches Safari when using an third-party IdP

We're currently using a third-party IdP (Entra) and it is working correctly. However, on iOS devices, when launching the Perspective app and clicking "Continue to Log in", it then says "Ignition Perspective" Wants to Use "companyname.global" to Sign In" and redirects the authentication to Safari browser. Our company has a policy to only pass internal domain URLs (like companyname.global) through an on-demand VPN (The Perspective app is configured with a policy to also connect through an on-demand VPN) and open in Edge browser only. This causes the authentication to fail when Safari tries to resolve the server url. If I click the failure message in Safari and then "Open in Microsoft Edge" and go back to the iOS Perspective app and wait a few seconds, it will authenticate and work properly.
I have tried setting the default Browser on the iPhone to Edge and the iOS Perspective app still tries to launch Safari which causes the page cannot be displayed error.

Is there a way to force the iOS Perspective app to use Edge during IdP logins?

Or any other suggestions?

For starters, make sure you're using the latest version of the app. See: Ignition Perspective Mobile App Changelog.

There are some AppConfig settings in the latter versions that your iOS AppConfig management team can tweak, specifically:

  • ephemeral_auth_sessions
  • internal_webview_auth

Unsure if the Internal WebView option would work for you, but is the most appropriate option for external idp auth (my opinion - note the caution on the changelog page).

The AppConfig team should be able to reference the Ignition Perspective iOS App - AppConfig XML provided on the Ignition Extras page for insight.

Thank you, that's great info.
Based on the caution Note that this should not be used unless it is the only way to perform auth and Some Identity Providers do not allow this and authentication may fail.

,do you know if setting internal_webview_auth to true will break the Ignition Internal IdP?

Internal IdP shouldn't utilize WebView, so this setting should have no impact there.

I wanted to update everyone because this was a huge learning curve for me and hope it helps someone else. Evidently different MDMs use different formats of AppConfig to configure iOS applications. And some MDMs have even more specific requirements in how they parse the AppConfig and keys.

Microsoft Intune and SOTI MobiControl:

<dict>
<key>internal_webview_auth</key>
<true/>  
</dict>

SimpleMDM:

<plist>
<dict>
<key>internal_webview_auth</key>
<true/>  
</dict>
</plist>

Those were the three MDMs I tested. None of them supported the format of Ignition Perspective iOS App - AppConfig XML but I'm sure there are some that do since it appears to follow the AppConfig XML v3 spec.

The handling of arrays is different on the platforms I tested so here is an example (remove the plist keys if using Intune):

<plist>
<dict>
<key>initial_gateway_urls</key>
<array>
<string>https://testserver1.company.com:8043</string>
<string>https://testserver23.othercompany.com:8043</string>
</array>
</dict>
</plist>

Oh, and the internal_webview_auth key set to true worked perfectly with keeping the IdP redirect inside of the app inside of launching Safari. So now Entra IdP and SSO is working for us.

3 Likes

:+1: Glad you were able to make some headway!

This matches my experience as well. A client of mine uses Workspace ONE. Little could be migrated from the AppConfig XML provided by Ignition, but it did offer some good insight (as to available key-value pairs, etc.).
Thanks for sharing details of your findings!

2 Likes