Android Enterprise Kerberos Support for MS Authenticator and Company Portal
On Android Enterprise there is a way to enable Kerberos/SPNEGO based SSO for all WebViews out of the box without any change of code. Since MS Authenticator and Company Portal are used for SSO authentication of native Office Android Apps, it would be beneficial to activate this option. This would allow an enterprise user to have seamless/login-free SSO.
The scenario is that in the enterprise context the Office 365 login is often federated to an on-premise idP. That idP usually is kerberized and understands SPENGO. I can see that in MS Authenticator I get redirected to the idP but Kerberos based SSO is then not possible because the WebView used on MS Authenticator did not enable the SPNEGO feature.
It's actually quite straight forward and MS Edge is already doing this. Please add it also to MS Authenticator and Company Portal.
The only thing that needs to be done to enable the Android WebView to support SPNEGO is to include the following APP_RESTRICTIONS:
I attached a sample app_restrictions.xml. No further changes are needed on the code base. It's actually quite funny to see that MS Edge is already doing this, but the feature is not enabled on an application that should deal with SSO.
More details on how this works: https://docs.google.com/document/d/1VCIbypCa0VnQDCbp2JDxNUijtT8waPR8GW-X3eCyc7Q/preview