tvOS single sign on

[Raist3001]

i have been having issues with my single sign and was wondering if anyone else was experiencing the same.

I am signed into direcTV and have many of the supported apps installed. When i first logged into the app i got the message asking if i wish to allow the app to use my SSO credentials. All of my supported apps have the access allowed in settings.

Now once my logged in session expires say in the Disney app, i am unable to use SSO to log back in. The app wants me to input my direct TV credentials. This happens in all my supported apps.

I thought the purpose of SSO was to sign in once and thats it?

What am i missing?

 

[2010mini]

i have been having issues with my single sign and was wondering if anyone else was experiencing the same.

I am signed into direcTV and have many of the supported apps installed. When i first logged into the app i got the message asking if i wish to allow the app to use my SSO credentials. All of my supported apps have the access allowed in settings.

Now once my logged in session expires say in the Disney app, i am unable to use SSO to log back in. The app wants me to input my direct TV credentials. This happens in all my supported apps.

I thought the purpose of SSO was to sign in once and thats it?

What am i missing?

I think it's a couple of things.
- the individual channels still want to check your authorization
- they are not reusing SSO after the initial login

 

[Raist3001]

I think it's a couple of things.
- the individual channels still want to check your authorization
- they are not reusing SSO after the initial login

This involves a provider that supports SSO and their apps are supported by SSO. So they should absolutely be using my SSO credentials and not asking me to manually input my credentials. This began happening after the recent TVOS update.

Last night I found that if I go into the OS settings to my provider and update my password (meaning re-enter my password), all the apps began using the proper SSO credentials. So this seems to be a TVOS issue or its a provider issue which is timing out the SSO credential session?

 

[2010mini]

This involves a provider that supports SSO and their apps are supported by SSO. So they should absolutely be using my SSO credentials and not asking me to manually input my credentials. This began happening after the recent TVOS update.

Last night I found that if I go into the OS settings to my provider and update my password (meaning re-enter my password), all the apps began using the proper SSO credentials. So this seems to be a TVOS issue or its a provider issue which is timing out the SSO credential session?

Hmmmm..... with all the other bugs in the latest tvOS update, I would surmise this is also another one. Have you sent a bug report to Apple?

 

[Raist3001]

Here

Hmmmm..... with all the other bugs in the latest tvOS update, I would surmise this is also another one. Have you sent a bug report to Apple?

Here is the response from Apple:


Apple Developer Relations11-May-2017 02:42 PM

This issue behaves as intended based on the following:

When the timeout expires for the sign in, users will need to reauthenticate.

Please update your bug report to let us know if this is still an issue for you.


So what is the point of SSO then?
What is the point of giving the apps access to my SSO credentials if I still need to sign back in manually from within the app?
If my app session times out, it should use my SSO credentials stored in my ATV to re-authenticate.
I should not need to sign back into the app using my DirectTV credentials from within the app.
If I still need to re-authenticate from within the app, SSO isn't doing anything.

 

[tonyr6]

Single sign on is a joke. I still have to frequently reactive Starz, WatchESPN etc. What is the point then.

 

[2010mini]

Single sign on is a joke. I still have to frequently reactive Starz, WatchESPN etc. What is the point then.

Its the content owners and providers that are the problem. The owners want to make sure you are still authorized to their network via your tv provider. Since rights change so often... and users add/drop channels. They created this convoluted mess.

Apple need a way to make SSO an active instead a passive authentication

 

[Raist3001]

Here is yet another reply from support. At this point, I believe they do not understand the situation:

"Each provider handles the TTL differently. For DTV, they expire in 25 days as a hard deadline. They are the shortest. Most partners expire every 90 days. Some expire based on usage. It just depends on how they’ve chosen to implement it. Apple doesn’t dictate this. That said, we will take this feedback into consideration for future feature enhancements. Thanks."

I have responded trying to clarify that the problem is not that supported providers have app session timers. But that once the app's login does expire that the app refuses to use the SSO credentials stored in the ATV. I don't care if DTV chooses to have all there apps time out after 24 hours. Once the app times out, it should use the stored ATV DTV credentials. Again, what's the point of storing the DTV credentials and then giving each supported app permission to use the SSO credentials if the app refuses to use them?

SSO is not working as Apple has promised and they should be looking to resolve this. Again, from apple's website:

"When you enter your cable or satellite subscription credentials on Apple TV, you get immediate access to all the apps in your pay TV package that support single sign-on. So you authenticate once and you're done."

I authenticate once, then again, and again and again and again.......
[doublepost=1495206671][/doublepost]

Its the content owners and providers that are the problem. The owners want to make sure you are still authorized to their network via your tv provider. Since rights change so often... and users add/drop channels. They created this convoluted mess.

Apple need a way to make SSO an active instead a passive authentication

Then they should not be promoted as supporting SSO. And apple should remove them.

 

[Raist3001]

And here is another update from apple.

"Engineering has provided the following feedback regarding this issue:

We understand what you are asking, the issue at hand is that Apple never has access to your TV provider credentials. We never see or store those credentials in any way. When you sign in to SSO, although you are on an Apple device, what you are seeing is a javascript context sent to us from your TV provider. They handle all credentials and only pass back an Auth token that we use. When that expires you have to sign back in to your TV provider again. Which is what we were getting at in our previous reply that it’s really on your TV provider to manage the TTL of that auth token. We hope that helps clear up why you are required to reauth manually each time.

We are now closing this bug report.

If you have questions or comments about the resolution, please update your bug report with that information so we can respond."

The engineer claims Apple does not store my credentials? Why must I enter those credentials into my ATV under my providers account, then give access to those credentials on a per app basis?
If Apple does not store the providers credentials WHAT THE HECK IS THE POINT OF SSO? If the provider does not need to follow what SSO is supposed to be, why are they listed as a supported provider?

Can anyone tell me what the purpose of SSO is?

 

[Raist3001]

So I let all my apps time out where I would need to manually sign back into each app. I have about 10 apps with DTV.

Instead of signing into each app individually, I went into my settings on my ATV, went to accounts, and my DTV account and simply re-entered my password.

And magically, all my apps re-authenticated with my DTV credentials and I had access again.

So, if my ATV does not store my DTV credentials, like the apple engineer claims, how were the apps able to re-authenticate all at once?

In my opinion, this is a bug with the ATV and should be fixed.

 

[2010mini]

So I let all my apps time out where I would need to manually sign back into each app. I have about 10 apps with DTV.

Instead of signing into each app individually, I went into my settings on my ATV, went to accounts, and my DTV account and simply re-entered my password.

And magically, all my apps re-authenticated with my DTV credentials and I had access again.

So, if my ATV does not store my DTV credentials, like the apple engineer claims, how were the apps able to re-authenticate all at once?

In my opinion, this is a bug with the ATV and should be fixed.

Reopen the bug report and let them know about re-entering your password

 

[Raist3001]

Reopen the bug report and let them know about re-entering your password

Yep, i reopened the case with Apple with the new update.

 

[Raist3001]

Received the following reply from Apple today:

"Engineering has provided the following feedback regarding this issue:

Thank you for your feedback, it is noted. Engineering has determined that there are currently no plans to address this issue.

We are now closing this bug report.

If you have questions or comments about the resolution, please update your bug report with that information so we can respond."


So, the bug is just going to be ignored? Apple is essentially false advertising the whole SSO feature?

Any thoughts as to whom to contact next in Apple?

 

[rjbruce]

So let me try to make sense of this. I have no insight into Apple's implementation other than what you've posted, but it seems to be pretty standard.

When you sign in to SSO, although you are on an Apple device, what you are seeing is a javascript context sent to us from your TV provider.

When you enter your DIRECTV ID and password into your Apple TV, you're actually entering those credentials on a DIRECTV portal and not actually on your Apple TV. Think of it like entering your credentials into a website, not actually into the Apple TV itself. This means your credentials aren't actually stored on the device.

They handle all credentials and only pass back an Auth token that we use.

What happens when you enter your credentials on the DIRECTV portal (on your Apple TV), DIRECTV passes back a token or pass that grants you access to content. For any authentication from here on out, the token is used because your device with that token is trusted. Your credentials are out of the picture for actual authentication and use of the content, only that token matters.

Each provider handles the TTL differently. For DTV, they expire in 25 days as a hard deadline.

This particular token from DIRECTV is only good for 25 days. DIRECTV sets the time to live of this token and other providers have different time to live (TTL) periods. Once that token expires, it's no longer good and you have to get another token. To get a new token/pass, you have to authenticate again with DIRECTV through their portal using your DIRECTV credentials again. So your password doesn't get you access, it only gets you a 25 day pass.

So what does SSO get you?

With SSO, the Apple TV is managing a single token for any content that can be authenticated with that token. So if you did not have SSO, each app would need to get it's own token from DIRECTV. Each app would expose the DIRECTV auth portal, and receive a token after credentials were entered. That token would be good for 25 days and it would only be accessible by that app, meaning you would need to get a DIRECTV token for every app (and log in through each). SSO allows you to get one token that is shared by SSO enabled apps and means you sign in at one place.

So it sounds like it's working the way it should, but the question would be, why can't the Apple TV store the SSO credentials and use those in the background to get a new token when the current one expires? That seems like a simple solution unless the content providers won't allow it. It's likely policy and politics that prevents it rather than a bug or lack of ability, which is unfortunate because that would make the experience way better.

 

[Raist3001]

When you enter your DIRECTV ID and password into your Apple TV, you're actually entering those credentials on a DIRECTV portal and not actually on your Apple TV. Think of it like entering your credentials into a website, not actually into the Apple TV itself. This means your credentials aren't actually stored on the device.

No thats not correct. You are entering and storing your providers credentials in the AT4, and then need to allow all supported apps access to your stored credentials.

What happens when you enter your credentials on the DIRECTV portal (on your Apple TV), DIRECTV passes back a token or pass that grants you access to content. For any authentication from here on out, the token is used because your device with that token is trusted. Your credentials are out of the picture for actual authentication and use of the content, only that token matters.

The token pertains to the indiviudal apps which is not related to SSO.

This particular token from DIRECTV is only good for 25 days. DIRECTV sets the time to live of this token and other providers have different time to live (TTL) periods. Once that token expires, it's no longer good and you have to get another token. To get a new token/pass, you have to authenticate again with DIRECTV through their portal using your DIRECTV credentials again. So your password doesn't get you access, it only gets you a 25 day pass.

I don't ever need to use SSO to use my providers supported apps. So if I sign into each app manually, the token will expire in 25 days. And I must sign in again. This is why SSO was created. Store your credentials in the ATV and never have to manually sign in again. This is not reality.

So it sounds like it's working the way it should,

No it is not, because.....

but the question would be, why can't the Apple TV store the SSO credentials and use those in the background to get a new token when the current one expires?.

This is exactly what the ATV does. It stores your credentials. You must give each app approval to use and access your stored providers credentials. Once your token times out, you do NOT have to log back into each app manually like the apple rep said, you just re-enter your STORED password into the ATV. And All the supported apps reauthenticate at once and the token is good for another 25 days. This is what SSO is supposed to do however this does not work in the background. This is a bug plain and simple and it appears from the apple tech that this issue will not be addressed.

SSO is broken.

 

[1024724]

Raist, you're right, SSO is seemingly pointless. In fact I'm not seeing any difference in the way the apps behave than before SSO was implemented. I also have DTV and have all my DTV sing-in stuff stored in Apple TV 4 but it doesn't matter. The apps still constantly tell us to login just like before SSO meaning getting another computer, going to the url and entering the code that appears on the Apple TV. So irritating.

 

[Raist3001]

Raist, you're right, SSO is seemingly pointless. In fact I'm not seeing any difference in the way the apps behave than before SSO was implemented. I also have DTV and have all my DTV sing-in stuff stored in Apple TV 4 but it doesn't matter. The apps still constantly tell us to login just like before SSO meaning getting another computer, going to the url and entering the code that appears on the Apple TV. So irritating.

SSO is indeed broken. However, you don't have to sign into each app manually. All you need to do is go into your AT4, go to your Providers account, and re-enter the password their. All your apps will then re-authenticate at once. This is what SSO is supposed to do for us. Seems apple does not care enough to fix a feature they are currently selling.

 

[JRobinsonJr]

So let me try to make sense of this. I have no insight into Apple's implementation other than what you've posted, but it seems to be pretty standard.



When you enter your DIRECTV ID and password into your Apple TV, you're actually entering those credentials on a DIRECTV portal and not actually on your Apple TV. Think of it like entering your credentials into a website, not actually into the Apple TV itself. This means your credentials aren't actually stored on the device.



What happens when you enter your credentials on the DIRECTV portal (on your Apple TV), DIRECTV passes back a token or pass that grants you access to content. For any authentication from here on out, the token is used because your device with that token is trusted. Your credentials are out of the picture for actual authentication and use of the content, only that token matters.



This particular token from DIRECTV is only good for 25 days. DIRECTV sets the time to live of this token and other providers have different time to live (TTL) periods. Once that token expires, it's no longer good and you have to get another token. To get a new token/pass, you have to authenticate again with DIRECTV through their portal using your DIRECTV credentials again. So your password doesn't get you access, it only gets you a 25 day pass.

So what does SSO get you?

With SSO, the Apple TV is managing a single token for any content that can be authenticated with that token. So if you did not have SSO, each app would need to get it's own token from DIRECTV. Each app would expose the DIRECTV auth portal, and receive a token after credentials were entered. That token would be good for 25 days and it would only be accessible by that app, meaning you would need to get a DIRECTV token for every app (and log in through each). SSO allows you to get one token that is shared by SSO enabled apps and means you sign in at one place.

So it sounds like it's working the way it should, but the question would be, why can't the Apple TV store the SSO credentials and use those in the background to get a new token when the current one expires? That seems like a simple solution unless the content providers won't allow it. It's likely policy and politics that prevents it rather than a bug or lack of ability, which is unfortunate because that would make the experience way better.

--------------------------------
Excellent analysis!

So, is SSO working as designed? It certainly appears to be.

HOWEVER, it also appears to be an incomplete design. Based solely on these facts, Apple has implemented the server-side portion of SSO. Now they need to implement the client-side portion. For that, they need to store provider login credentials. Don't they already have keychain on the TV? If not, that sure sounds like a great place for it! So, just store the provider credentials and based on the provider perform a periodic re-authentication and re-validation... and get a new token.

Viola!

• Happy providers!
• Happy content developers!
• Happy consumers!

Seems like an easy decision to me.

 

[1024724]

SSO is indeed broken. However, you don't have to sign into each app manually. All you need to do is go into your AT4, go to your Providers account, and re-enter the password their. All your apps will then re-authenticate at once. This is what SSO is supposed to do for us. Seems apple does not care enough to fix a feature they are currently selling.

I'll give that approach a shot next time it comes up.

 

[Raist3001]

So, is SSO working as designed? It certainly appears to be.

No, it is not working as designed nor as promised nor as advertised. That analysis, while in depth, is incorrect.

This is from Apples website:

"When you enter your cable or satellite subscription credentials on Apple TV, you get immediate access to all the apps in your pay TV package that support single sign-on. So you authenticate once and you're done."

Pay close attention to that last sentence. That is broken.

For that, they need to store provider login credentials.

The ATV4 does store your credentials in the providers account page. Each supported app of the providers must then be given access to use these credentials for SSO. However, as I have pointed out, the apps do not use the stored credentials to authenticate. Once the token expires, each app will ask to be signed into manually. However, all you need to do is re-enter the stored password to your provider account in the ATV4 and each app will re-authenticate all at once. This is SSO. This is what is broken and not working as advertised by apple. If a person did not know that all they needed to do was re-enter their providers password in the providers account in the ATV4, they would believe they would have to sign into each app individually. I have 10 supported apps from DTV. If I need to sign in manually to each app, SSO is doing nothing. As it is now, having to manually enter your providers password each time the token expires is SSO doing nothing.

In short, you sign into your provider on ATV4 by opening Settings/Accounts/TV Provider, and then entering your credentials. You then must authorize each of the providers supported apps to use the stored providers credentials for SSO.

 

[rjbruce]

This is from Apples website:

"When you enter your cable or satellite subscription credentials on Apple TV, you get immediate access to all the apps in your pay TV package that support single sign-on. So you authenticate once and you're done."

I sort of let this thread go, I understand you are passionate about wanting it to work a certain way, but it clearly doesn't. Your Apple quote is arguably fulfilled,

• you authenticate once - meaning through the SSO portal enabling you to authenticate every SSO enabled app in one shot
• and you're done - you don't have to enter credentials in the SSO enabled apps, just authorize it to use the common token. I would also think there are providers that have longer or no token expiration. This is the statement that you might argue is not fulfilled but it is your content provider enforcing.

Sorry this is an inconvenience for you, I agree it would be great if the token never expired or the Apple TV could renew the token in the background, but that doesn't appear to be the way it works today.

 

[Raist3001]

I sort of let this thread go, I understand you are passionate about wanting it to work a certain way, but it clearly doesn't. Your Apple quote is arguably fulfilled,

• you authenticate once - meaning through the SSO portal enabling you to authenticate every SSO enabled app in one shot
• and you're done - you don't have to enter credentials in the SSO enabled apps, just authorize it to use the common token. I would also think there are providers that have longer or no token expiration. This is the statement that you might argue is not fulfilled but it is your content provider enforcing.

I'm not sure where the confusion lies, but the apple quote is not being fulfilled. I am not authenticating once and I'm done. I am authenticating over and over and over again. Once the token expires, SSO is broken. The apps do not use the stored credentials that they were given access to and authorized to use. However, if you simply re-enter the stored password to your providers account on the ATV, every app will authenticate at once. This is what SSO is supposed to take care. Log in once, and you are done.

Sorry this is an inconvenience for you, I agree it would be great if the token never expired or the Apple TV could renew the token in the background, but that doesn't appear to be the way it works today.

It is an inconvenience because it is not working as advertised. If the token expires, and the app is unable to use the stored credentials they are authorized to use, then they are not SSO ready. And should not be listed as a supporter of SSO. Either way, it is up to Apple to fix this issue.

 

[tonyr6]

Either way, it is up to Apple to fix this issue.

I agree and fix the Hulu in mono issue. My Apple TV is in my closet for good now that single sign on is broken, Hulu in still in mono with the worse UI, the horrible touch remote keeps lagging freezing and yes it is fully recharged and Netflix now autoplay's with volume those dumb trailers automatically.

 

[2010mini]

I agree and fix the Hulu in mono issue. My Apple TV is in my closet for good now that single sign on is broken, Hulu in still in mono with the worse UI, the horrible touch remote keeps lagging freezing and yes it is fully recharged and Netflix now autoplay's with volume those dumb trailers automatically.

Apple can't fix Hulu. Hulu has to fix Hulu.

 

[JBaby]

I agree and fix the Hulu in mono issue. My Apple TV is in my closet for good now that single sign on is broken, Hulu in still in mono with the worse UI, the horrible touch remote keeps lagging freezing and yes it is fully recharged and Netflix now autoplay's with volume those dumb trailers automatically.

You can't blame apple for Netflix's stupid decision. It doesn't just happen on the tv. It's been happening on other platforms for awhile now.