Skip Navigation

Data flow: Authenticating with the mail server from an
iOS
device when using
BlackBerry Secure Gateway

This data flow describes how
iOS
devices authenticate with your mail server through
BlackBerry Secure Gateway
using
Microsoft
modern authentication.
Diagram showing the steps and components mentioned in the following data flow.
The following steps describe the standard data flow. Some details may vary depending on the configuration of your
Entra
tenant. For more information on how the
Microsoft
identity provider manages authorization requests, see the
Microsoft
documentation
.
  1. BlackBerry Secure Gateway
    retrieves and caches the discovery documents from the authorization server/identity provider specified in the
    BlackBerry Secure Gateway
    configuration settings.
    BlackBerry Secure Gateway
    retrieves both the unversioned discovery document for
    iOS
    13 devices and the v2.0 discovery document for
    iOS
    14.6 and later devices.
  2. The device establishes a secure connection through the
    BlackBerry Infrastructure
    to the
    BlackBerry Secure Gateway
    .
  3. The
    BlackBerry Secure Gateway
    establishes a TLS connection with the authorization server/identity provider specified in the
    BlackBerry Secure Gateway
    configuration settings.
  4. The device sends an authorization code request through the
    BlackBerry Secure Gateway
    to the authorization server/identity provider.
  5. The authorization server/identity provider returns a 302 HTTP redirect response to the device.
  6. The device sends an authorization request to the URL specified by the redirect response. The request does not route through the
    BlackBerry Secure Gateway
    .
  7. The authorization server/identity provider sends user authentication request to the device. The type of request (for example, a login page, or prompt from the
    Microsoft
    Authenticator app) and the message flow for user authentication depends on the configuration of your
    Entra
    tenant.
  8. The user provides the requested credentials to the authorization server/identity provider.
  9. When user authentication is complete, the authorization server/identity provider sends an authorization code to the device.
  10. The device requests the authorization server/identity provider discovery document from the
    BlackBerry Secure Gateway
    .
  11. The
    BlackBerry Secure Gateway
    sends the discovery document to the device.
  12. The device sends an access token request through the
    BlackBerry Secure Gateway
    to the authorization server/identity provider.
  13. The authorization server/identity provider sends the access token to the device.
  14. When it sends or receives email, the device presents the access token to establish a secure connection to the mail server.
    When the access token expires, the device sends a new token request through the
    BlackBerry Secure Gateway
    to the authorization server/identity provider.