Single Sign On (SSO) provides a unified sign-on experience for users accessing your enterprise apps or websites. Apple has introduced Extensible SSO to enable simpler and more secure single sign-ons for iPhones, iPads and Mac devices enrolled into a MDM solution. Extensible SSO can be used with third party Identity Providers to simplify and improve single sign-on for users. Also, there is an inbuilt Kerberos extension in Apple that can be used to sign users in to native apps and websites that support the Kerberos authentication. To know more information about Extensible SSO from Apple's document, click here.
The MDM feature in Endpoint Central makes users' sign-in experience simpler with Extensible SSO which can be used to configure Identity Providers such as Microsoft SSO Plug-in, Okta FastPass etc. The user has to be authenticated using Kerberos extension or through Identity Providers. Once authenticated, users will not be prompted to authenticate for subsequent sign in. This configuration is applicable for devices running macOS 10.15 and above.
| Profile Specification | Description |
|---|---|
| Extension type | Select the extension type that should be used to authenticate users during sign in. This should be obtained from your Extension developer. Credentials - Used for challenge response type authentication. Redirect - Used for Modern Authentication such as OAuth, SAML etc. Kerberos - Apple's native extension which authenticates users with Active Directory. |
| Extension identifier | Specify the Bundle identifier of the Extension app that performs Single Sign On. Example: com.apple.AppSSOKerberos.KerberosExtension. Obtain the Bundle identifier from the App developer. |
| Team identifier | Enter the Team identifier of the app. |
| URLs | If you have selected the extension type as Redirect, specify the URLs of your identity providers where the extension performs SSO. |
| Realm | Specify the Realm for which authentication is to take place. If the Credential Extension Type is selected, obtain the Realm from the App developer. It is usually your DNS domain name but fully capitalized. For example, if your domain is zylker.com, your Kerberos Realm is ZYLKER.COM |
| Host | Enter the domains that can be authenticated with the app extension. Ex: zylker.com To allow wildcard domains add '.' before the domain name. Ex: .zylker.com |
| Exclude apps from SSO | Select the apps which cannot use Single Sign On with the Authenticator app. You can select any app present on the device and/or the App Repository. Note: Certain apps that use Safari to authenticate cannot be excluded from SSO. To block these apps, Safari must be blocked on the device. |
| Custom configuration | To customize configurations based on your enterprise needs, collect the necessary values from your App developer and enclose the values with <dict> and </dict>. Refer to your identity provider for available options and example plist files. |
| Lock Screen behavior (Applicable only for macOS 12 and above) | Define how the authentication should happen when the device is locked. Cancel - This option will stop the SSO request automatically once the device is locked. Do not handle request - This option will prevent the request from being sent to the Extension server. Note: By default, the lock screen behavior will be 'Cancel'. |
| Platform SSO Authentication method (Applicable only for macOS 13 and above) | Select the Platform SSO Authentication method the extension uses. 1. User Secure Enclave key 2. Passcode |
| Platform Registration token (Applicable only for macOS 13 and above) | Enter the registration token obtained form your Identity Provider. |
To know more about the above mentioned configurations, you can refer to the following documents
You cannot use the same URLs in multiple profiles. If you have configured same URL in more than one profile, then the second profile will not be applied to the device.
You cannot use the same Hosts in multiple profiles. If you have configured same host in more than one profile, then the second profile will not be applied to the device.
You will get this error when Platform SSO Authentication type is configured in more than one profile.
