DocumentationAdobe PassAdobe Pass Authentication
Last update: Mon Sep 18 2023 00:00:00 GMT+0000 (Coordinated Universal Time)
- Topics:
- Authentication
NOTE
The content on this page is provided for information purposes only. Usage of this API requires a current license from Adobe. No unauthorized use is permitted.
Overview overview-sso-support
This document describes the types of Single Sign On supported and powered by Adobe Pass Authentication on different platforms. The scope of this document is to shed light into what’s supported and what’s not, what is the MVPD coverage for each SSO method and what is required from the Programmers to be able to benefit from SSO on each platform.
After a user logs in with their MVPD credentials, Adobe Pass Authentication generates a secure token that represents the MVPD’s Authentication session, and binds that token to the user’s device using a Device ID. Adobe Pass Authentication stores the token / Device ID either on a server or on the device. This allows users to enter their credentials less frequently while keeping transactions secure.
NOTE
SSO workflows are part of the Premium Workflow package. Please contact your Adobe Pass sales rep if interested in using this functionality.
Current status for SSO on various platforms current-sso-status-platforms
Platform / Device
SSO support
SSO type
MVPD coverage
Notes
Web (JavaScript)
Yes
Shared authentication token (Adobe SSO)
All
No cross-browser SSO Please follow the instructions in the Programmer Integration Guide for JavaScript. Upon following the instructions, SSO is enabled by default. Enabling Authentication per Requestor breaks SSO
iOS
Yes
Platform SSO - token exchange
Depending on Apple support - the list is here
From iOS 10, Apple & Adobe introduced SSO functionality for participating Programmers and MVPDs. By using the latest Adobe iOS SDK or by using Adobe’s Clientless REST API and implementing the Apple SSO functionality you can benefit from SSO on iOS devices. More details on SDK implementation here and more details on Clientless implementation here. Extra notes: - If you don’t want to use Apple SSO you can still have a limited SSO between apps of the same vendor (same bundle ID) that can share storage and an ID (IDFV) - so SSO is limited only to the apps of the same vendor.
Android
Yes
Shared authentication token (Adobe SSO)
All
If the user does not accept the WRITE_EXTERNAL_STORAGE permission request, the library will use a local sandboxed storage. The implication in this case is that there will be no SSO between different applications when using the local storage.
tvOS - new Apple TV
Yes
Platform SSO - token exchange
Depending on Apple support - the list is here
From tvOS 10, Apple & Adobe introduced SSO functionality for participating Programmers and MVPDs. By using the latest Adobe tvOS SDK or by using Adobe’s Clientless REST API and implementing the Apple SSO functionality you can benefit from SSO on tvOS devices. More details on tvOS SDK: here and here and more details on Clientless implementation here.
Roku
Yes
Shared authentication token (Adobe SSO)
Significant coverage full list to be provided soon.
Roku SSO works out of the box with the Clientless API for all customers respecting Roku guidelines, no special implementation required. SSO is based on device identification information that Roku is securely sending to Adobe.
Amazon FireTV
Yes
Shared authentication token (Adobe SSO)
Significant coverage full list to be provided soon.
FireTV SDK provides support for Single Sign On based on Android capabilities. The SSO on this platform is possible only between apps that are using Adobe FireTV SDK for now. More info about the new FireTV SDK here. FireTV apps implemented on top of Clientless API will be able to benefit from SSO by EOY 2018.
Xbox 360
No
There is no Device ID we can leverage. There is an App ID, so users don’t have to authenticate every time.
Xbox One
No
There is no Device ID we can leverage. There is an App ID, so users don’t have to authenticate every time.
Windows 8/10
No
There is no Device ID we can leverage. There is an App ID, so users don’t have to authenticate every time.
Samsung TVs
No
There is no Device ID we can leverage. There is an App ID, so users don’t have to authenticate every time.
Notes on Xbox 360 and Xbox One notes-xbox-360
-
Xbox 360- Xbox 360 relies on the Live Service to provide the token that embeds the deviceID. The Live Service layers in the appID value for deviceID, making it scoped only to the app. For Xbox 360, Microsoft provided Adobe a Java library to help with parsing the token.
-
Xbox One- A JSON web token will be issued that is encrypted with the publisher’s cert/key and signed by Microsoft. Adobe extracts the deviceID from a parameter called DPI (Device Pairwise ID), different from the Xbox 360 parameter PDID (Partner Device ID). PDID exists also in Xbox One but is meant to be replaced by this new parameter “Device Pairwise ID” (DPI).
Disabling SSO disable-sso
In certain situations some apps or sites will want to disable SSO to satisfy advanced business cases.
- For JS and native SDKs - The Adobe Pass Authentication support team can disable SSO for a Requestor ID / MVPD pair. No work is needed on sites or in native apps. Once SSO is disabled by the Adobe Pass Authentication support team, authentications performed using the specified RequestorId / MVPD pair will not be shared with sites or apps using different Requestor IDs. In addition, existing authentications with different Requestor IDs will not be valid for the Requestor ID / MVPD combination in which SSO was disabled. Technically, SSO disabling is accomplished by binding the AuthN token to the specific Requestor ID / MVPD combination.
- For Clientless API - You can disable SSO in the Clientless authentication flow by specifying a non-empty appId parameter in the REST calls. You can use any string as the value, as long as that string is unique for the Requestor ID. Note that for the Clientless API, the programmer / impementor must change the site or app to add this requestor-specific parameter.
IMPORTANT
IMPORTANT NOTE FOR CLIENTLESS API SSO: Some MVPDs require that each network (requestor ID) performs its own authentication flow. For the SDK based flows (iOS etc), this is handled automatically by the SDK. However, for the Clientless APIs this needs to be handled by the Programmer. We strongly advise Programmers not to enable SSO flows for Clientless APIs at this point and instead use a device ID + app ID combination for device ID. Adobe will also work on improving the Clientless API flows so that proper SSO can be established.
Logout logout-sso-support
Programmers need to be aware that the “Logout” action in the context of Single Sign-On, when performed in one app/on one site, will delete all tokens on the device and the user will be logged out across apps/sites.
If SSO conditions are met (whether or not SSO is enabled or disabled), Logout will be performed and it will delete all authentication and authorization information.
recommendation-more-help
