During my investigation I could only find this video of wwdc in relation to setting up a single sign on extension. https://developer.apple.com/videos/play/tech-talks/301/ Perhaps you have more updated material which is useful. Any help is greatly appreciated.

Thanks, that seems to be some great pointers to further look into. For setting up the SSO extension, did you find any other Apple documentation that helped you configure and debug it? For the cookies subject; Did you get any meaningful instructions from Apple that resolve around storing the refreshtoken this way? For Intune, we did managed to see some EntraID behavior around sso extension, but as this is Microsoft I expect the configuration to be easy. Did you find the same with Ping (as you say 'supported from out of the box')? Unfortunately, I could not manage to get this tested. The SSO Extension is pushed to my test device, but it's unclear what details I needed to provide. I believe only the domains of the identity provider are specified here. To conclude, I'm hoping to get some more guidance on this implemention. Even both Omnissa and Ping are actually not able to offer much support on this so was hoping Apple has some more documentation to look into. But for sure this is food for thought!

To elucidate, we've implemented login now with ASWebAuthenticationSession. Our custom framework deals with obtaining the accesstoken/idtoken etc. once receiving the authorizationcode from ASWebAuthenticationSession. We stopped with the UIWebView/WKWebView some time ago as there were also some CVE restrictions as I recall. Also, once we implement the SSO behavior for this identity provider, we want to grant longer sessionlifetime once a device is managed by our MDM. A few years ago I did a sample as well that used (yet another) certificate, which the app could present to a website (using mTLS). We noticed a popup from Apple showing up, asking the user for permission and selecting a given certificate. Can you tell if there can be set a default option, so the user is not confronted with this popup anymore and device integrity can be checked pro-actively?

Thanks for the reply. We are using Ping at this moment and are in a project to move to PingONE (instead of onprem) For MDM provider, we make use of Workspace One from Omnissa but there's a running project to move to Intune. Great to have multiple transitions at the same time.... The ASWebAuthenticationSession option is working for us once 'persistent cookies' are enabled. But once only session cookies are allowed, the SSO experience is not given. Can you tell why that's the case? Also, is there any resource available that explains how to set up the SSO Extension on MDM side and how would it change the experience compared to what we have now (with just ASWebAuthenticationSession).