1. Administering Oracle Fusion Field Service
  2. iOS SSO Authentication - MDM and Per-App VPN Configuration Considerations

iOS SSO Authentication - MDM and Per-App VPN Configuration Considerations

Oracle Fusion Field Service Mobile on iOS uses Apple-supported Safari authentication mechanisms for Single Sign-On flows.

The application currently relies on SFSafariViewController for OAuth, SAML, and OpenID Connect authentication processing. This behavior is expected for iOS SSO authentication flows.

Applies to

This guidance applies to iOS environments where Oracle Fusion Field Service Mobile is used with one or more of the following:
  • Microsoft Intune
  • Per-App VPN policies
  • Azure Conditional Access
  • Managed iOS devices
  • Customer identity provider-based SSO

Expected authentication behavior

During SSO authentication, the login flow opens using a Safari-based authentication controller within the native application context.

The native application cannot control, inspect, or access the data displayed inside the authentication session.

Safari-based authentication is the supported approach for Oracle Fusion Field Service Mobile SSO on iOS.
Note:
  • Alternative browsers, including Chrome, are not supported for native Oracle Fusion Field Service Mobile iOS SSO authentication flows.
  • MDM or VPN policies that block Safari-based authentication handling can prevent successful authentication.

Per-app VPN, Intune, and Conditional Access considerations

Organizations using Intune, per-app VPN, Azure Conditional Access, or managed iOS devices must ensure that Safari-based authentication traffic is allowed within the managed authentication and VPN policy configuration.

If Safari-based authentication traffic is excluded from the managed VPN scope, authentication may fail because:
  • The expected VPN tunnel is not established during the SSO flow
  • Azure Conditional Access cannot validate the expected network or IP context

Recommended configuration approach

For environments using Intune and per-app VPN policies, configure Intune Safari domain handling policies, including SafariDomains, appropriately.

The managed VPN authentication context should include the required authentication domains for the customer environment.

Include the following domain categories:
  • Oracle Identity or OCI authentication domains.
  • Customer identity provider domains, if applicable.
  • Required Microsoft Azure authentication domains.

These domains must be included within the managed VPN context used during authentication validation.

Administrator checklist

Before enabling or enforcing the MDM or VPN policy, verify that:
  • Safari-based authentication traffic is allowed.
  • SafariDomains is configured for the required authentication domains.
  • Oracle Identity or OCI authentication domains are included.
  • Customer identity provider domains are included, where applicable.
  • Required Microsoft Azure authentication domains are included.
  • The authentication flow uses the expected managed VPN context.
  • Conditional Access can validate the expected network or IP context.

Troubleshooting guidance

If SSO authentication fails on managed iOS devices, review whether Safari-based authentication traffic is excluded from the managed VPN scope.

Also confirm that the required Oracle Identity or OCI, customer identity provider, and Microsoft Azure authentication domains are included in the Intune Safari domain handling and managed VPN configuration.