Single Sign On stopped working for some customers after updating the ClickView iOS app to v2.11 (the update which added Initial support for viewing ClickView’s 360-degree showcase programmes). Users with SSO set up for their school reported that they were unable to log into the app after updating to 2.11. The users were also using the most up to date version of iOS.
Users were presented with a white screen with no information after inserting their credentials
Technical information for the problem:
This problem occurred because the Application Transport Security (ATS) was rejecting the connection to ClickView’s Shibboleth server.
Previous versions of the ClickView iOS app were submitted to the app store with ATS disabled.
Since January 2017 Apple has mandated minimum security settings to be compliant with the ATS. To comply with the minimum standards apps need to use the following:
Certificates
The certificate must be issued by a Certificate Authority that is either publicly trusted (included with the operating system) or the CA's root cert has been installed in the client device.
- RSA 2k or higher
- ECC 256 or higher
The cert must be created by the issuer with SHA-256 or greater
SSL / TLS Version
Only TLS 1.2 is supported. Disable earlier versions of SSL / TLS.
Cipher Support
All enabled ciphers must support PFS. Disable all but the following ciphers from the Cipher list view. If only an EC or RSA cert are in use, it doesn't hurt to only enable the compatible ciphers. If both an EC and RSA certificate are going to be used (best practice), then leave all of the following ciphers enabled.
ECC Ciphers
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
RSA Ciphers
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
The Solution:
The Solution for ClickView was to only Enable TLS v1.2
Please note: Some information provided in this article was sourced from https://kb.avinetworks.com/app-transport-security/