Single Sign On(SSO)


Organizations are fast becoming mobile first and mobile devices are now the forefont for primary source of corporate productivity. With that comes the trouble of constant signing in to various apps and/or web services. In addition to that, there are other disadvantages as listed below:

The solution to these shortcomings is Single Sign On(SSO).

What is Single Sign On(SSO)?

Single Sign On(SSO) as the name suggests, requires the users to enter their credentials only once, after which the user can continue to access all the requisite web services and/or apps, without needing to repeatedly sign in. When the users provide their credentials for the first time, they granted a 'ticket'. Ticket, as the name suggests is the one that lets user access other web services/apps without signing in. A ticket is generated based on user credentials and the user can continue to access web services/apps without signing in, as long as the ticket is valid. Further, as the ticket is the one used for granting access, it ensures the passcode do not get transmitted over the network(Internet).

Single Sign On(SSO) with MDM

MDM leverages Kerberos, network authentication protocol for Single Sign On(SSO). Kerberos, the most commonly deployed SSO technology uses Data Encryption Standard(DES) to encrypt the user credentials. Organizations using directory services such as Active Directory(AD) etc., usually have a Kerberos system already established. SSO also has the following benefits:

Additionally, you can use Certificate-Based Authentication(CBA) to ensure users are not required to sign in even once, effectively becoming No Sign On or Zero Sign on method. MDM supports certificate-based authentication using Simple Enrollment Certificate Protocol(SCEP). Enterprise Single Sign On(SSO) is supported for devices running iOS 7.0 or later versions.

Profile Specification


Account Display Name

Reference name for SSO

Kerberos Principal Name

Unique specification used to identify users and/or services. It is of the format primary/instance@realm. Primary here usually refers to the user name; instance is an optional parameter used to qualify primary. It is usually null in case of users; realm is the Kerberos Realm. EXAMPLE: Arsene/admin@ZYLKER.COM

Kerberos Realm

Storehouse for the Kerberos database(user credentials). It is usually your DNS domain name but fully capitalized. For example, if your domain is, your Kerberos Realm is ZYLKER.COM

Identity Certificate

The certificate to be used for Certificate-Based Authentication(CBA). Specify the certificate added via SCEP.

Apps Allowed for Single Sign On

The apps which can leverage SSO. You can select any app present on the device and/or the App Repository.

Allowed URLs

The URLs of the web services, which can leverage SSO. Provide the HTTP and HTTPS versions of the web service as separate URLs. Wild-card characters in URLs is supported only for devices running iOS 9.0 or later versions.

Providing as the URL, ensures SSO can be used for even for but not soin case of or Similarly, https://* ensures SSO can be used even for

Copyright © 2021, ZOHO Corp. All Rights Reserved.