End User Experience on iOS Devices

Once SSO configuration is created, users can sign in to the application when authenticated. The document describes how Scalefusion authenticates any user using SSO Configuration when they try to sign in to Gmail on iOS devices.

Pre-requisites

1. SSO Configuration is created on Scalefusion Dashboard
2. Users have been assigned with the SSO configuration
3. Authenticator app is available on device (on device managed by Scalefusion) 

Case 1: Device is Unmanaged (not enrolled with Scalefusion)

On iOS devices which are unmanaged, you can sign in to the application with an OTP. Let us assume in the SSO configuration, the Conditional Access > Device Policy is configured to allow access to Gmail application If the device is managed by Scalefusion or an OTP using OneIdP Authenticator app from a managed device.

Prerequisite 

• One another device enrolled with Scalefusion having Authenticator app, should be available.

Steps

Following steps are to be performed on an unmanaged iOS device:

1. Open browser (like Safari) and type www.gmail.com in the address bar. 
2. On the Sign in screen, enter your email (the user's email to which you have assigned the application in SSO configuration). Click Next
3. You will be redirected to OneIdP sign in page. Enter your email id and password and click on Sign In.
   
   
4. On the next screen, click on Check Compliance & Sign In
   
   
   
5. Please wait for the authentication.
6. On the next screen you will be asked to enter the OTP generated in Authenticator. At this point, go to the device enrolled with Scalefusion and click on Authenticator to get the OTP.
   Note: Here we have shown a iOS device enrolled in Scalefusion with SSO configurations applied. It can be any other device also managed by Scalefusion. In iOS devices, Authenticator is present inside Scalefusion Agent.
   
   
   
   
7. The OTP that is shown inside Authenticator (shown above) needs to be entered here on your unmanaged iOS device. Enter OTP and click on Log in
   
   
   
8. Once authentication takes place, you will be signed in to Gmail with that user.

Case 2: Device is managed by Scalefusion

Let us assume in the SSO configuration, the Conditional Access > Device Policy is configured to allow access of application only if Device is managed by Scalefusion.

Prerequisite 

• Device should be enrolled with Scalefusion with Authenticator app available on it.

Steps

Following steps are to be performed on a managed iOS device:

1. Open browser (like Safari) and type www.gmail.com in the address bar 
2. On the Sign in screen, enter your email (the user's email to which you have assigned the application in SSO configuration). Click Next
3. You will be redirected to OneIdP sign in page. Enter your email id and password and click on Sign In.
   
   
   
4. On the next screen, click on Check Compliance & Sign In
   
   
   
   
5. Please wait for the authentication.
6. Next, enter the passcode for iOS device to get into Scalefusion MDM Client > Authenticator on the device
   
   
   
7. This will open the Authenticator inside Scalefusion MDM Client. If the user is authenticated successfully, the following pop-up will be displayed.
   
   
8. On clicking OK in the pop-up above, please navigate back to the browser on which you entered your sign-in credentials (given in Step #2). You will be signed in to the gmail account.