Share via


Federated Authentication Links Apple School Manager With AzureAD

As I have blogged about many times before, identity is key to setting up a school successfully to enable seamless single sign on (SSO) into the wide variety of digital tools used in the modern classroom.

This morning the awesome David Colville (who largely authored this five part series on managing iPads with Intune) tipped me off to a new addition to Apple School Manager that allows for Federated Authentication of Managed Apple ID’s using Azure Active Directory (AzureAD).

Read the Apple documentation here.

As a starting point, you do need to understand what Federation means in this context, so a helpful explanation from Wikipedia is:

A federated identity in information technology is the means of linking a person’s electronic identity and attributes, stored across multiple distinct identity management systems.

Federated identity is related to single sign-on (SSO), in which a user’s single authentication ticket, or token, is trusted across multiple IT systems or even organizations. SSO is a subset of federated identity management, as it relates only to authentication and is understood on the level of technical interoperability and it would not be possible without some sort of federation

What does this actually mean?

Apple Federated

Image credit.

As per the explanation from Apple’s documentation:

You use federated authentication to link Apple School Manager to your instance of Microsoft Azure Active Directory (AD). As a result, your users can leverage their Microsoft Azure AD user names and passwords as Managed Apple IDs. They can then use their Microsoft Azure AD credentials to sign in to their assigned iPad or Mac and even iCloud on the web. Students can also use it to sign in on Shared iPad.

Using SAML, students would be able to use their single username/password from AzureAD to authenticate against their Apple devices, making it simple for students and easy for IT staff to manage their identity.

According to the documentation, when you federate Apple School Manager with AzureAD, Managed Apple ID’s are created automatically allowing users to sign into their Apple devices with their school email address and password.

What Is Required To Federate?

There are four main steps to link Apple School Manager to Microsoft Azure AD:

  1. Start the federated authentication process.
  2. Connect to your identity provider by linking Apple School Manager to Microsoft Azure AD.
  3. Verify your Azure AD domain ownership.
  4. Turn on and test federated authentication.

The full technical step by step guide to configuring this is available on Apple’s documentation here and I encourage you to check it out.

My Thoughts:

I have been travelling extensively across Asia and New Zealand recently but the consistent conversation that emerges is the importance for schools to get their cloud identity sorted early on, to unlock the almost limitless resources available on the internet.

Increasingly, there is inter-operability between major cloud platforms through Federated Domains and Single Sign on. AzureAD is widely supported and provides a simple way for schools to access the resources they need.