Create OneSign profiles for iOS

Created: Modified: Checkout

iOS apps require a profile to feed usernames and passwords from Imprivata OneSign. This is similar to all other apps in the OneSign system. OneSign’s method for creating profiles with the Application Profile Generator (APG) does not work for mobile applications, therefore a new method is required in order to achieve the same results.

Profiles are simple XML documents. With iOS, the profiles follow this template. You can download this Sample iOS Profile.xml, just unzip first before editing.

<SSO>
    <global verCreate="6.0" verLastMod="6.0"/>
        <app nm="APP_DOMAIN_HERE" desc="APP_NAME_HERE" profileType="2" appType="0">
            <env type="200" nm="iOS">
                <scn nm="" auto="0" dgs="1">
                    <ctl var="USR"/>
                    <ctl var="PWD"/>
                </scn>
            </env>
        </app>
    <containers/>
</SSO>

You will only need to modify two areas of the profile:

  1. app nm = enter the application’s domain here
  2. desc: enter the name of the app here

Leave everything the same.

APP_DOMAIN_HERE is a hostname, associated with apps. Some apps do not provide a domain. If an app does not provide a domain, this should have the same name as the APP_NAME_HERE field

APP_NAME_HERE is a human-readable string to describe the app. We recommend using something short, like “Rover” or “Epic Rover” here.

These credentials are used in two different ways by Imprivata Locker, depending on whether the app you are logging into provides a domain to Locker or not.

Apps with domains

If the app is built to provide an App Domain, the credential appears in the QuickType bar above the keyboard, for 1-tap AutoFill.

  • Websites using HTTPS always provide a domain
  • Apps built with an Associated Domain provide a domain
Apps without domains

If the app does not provide an App Domain, the credential is still available within a list of credentials using 2-tap AutoFill. Users must first tap the word “Passwords” in the QuickType bar to reach the credentials.

Discovering the App Domain

You can find whether an app provides a domain or not, and what the domain is, using Imprivata’s tool AutoFill Discovery. To use AutoFill Discovery:

  1. Download and install the app from the app store: https://apps.apple.com/us/app/autofill-discovery/id1565246982
  2. Launch the application
  3. Enable Imprivata as the AutoFill provider. On the device:
    • Go to Settings > Passwords > AutoFill Passwords
    • Allow Filling from AutoFill Discovery
    • Disallow Filling from Keychain and all other applications
    • Return to AutoFill Discovery app
    • You are now ready to test a 3rd party app for Password AutoFill support
  4. Launch an app you would like to test
  5. Within that app, navigate to a credential entry screen
  6. After the keyboard is shown, select “Passwords” in the QuickType Bar above the keyboard
  7. Review your results, noting the associated domain if available

Example: Epic Rover

Rover does not have an associate domain, so the profile is simple:

<SSO>
    <global verCreate="6.0" verLastMod="6.0"/>
        <app nm="Epic Rover" desc="Epic Rover" profileType="2" appType="0">
            <env type="200" nm="iOS">
                <scn nm="" auto="0" dgs="1">
                    <ctl var="USR"/>
                    <ctl var="PWD"/>
                </scn>
            </env>
        </app>
    <containers/>
</SSO>
Uploading the Profile to the Imprivata OneSign appliance

Once the profile has been created, it must be uploaded to the appliance.

  1. Launch the admin console
  2. In the OneSign Admin Console, navigate to Applications> Single sign-on application profiles
  3. Click Add App Profile> Import from file…. Import XML profile
  4. Upload the .xml containing your application profile
Deploying the application profile and sharing credentials

Once the profile has been uploaded to the appliance, it must be deployed to your end users and configured to know what credentials to use for that application. To deploy application profiles and configure credential sharing, the behavior is the same as all other OneSign profile types. Detailed instructions can be found on the Imprivata Support and Learning Center: