pdf icon
Category Filter

Single Sign-On (SSO)

Single Sign On (SSO) provides a unified sign-on experience for users accessing your enterprise apps or websites. Apple has introduced Extensible SSO to enable single sign-on for iPhones, iPads and Mac devices enrolled in a MDM. Extensible SSO can be used with the third party Identity Providers to enable single sign-on for the users. Also there is an inbuilt Kerberos extension in Apple that can be used to sign users in to native apps and websites that support Kerberos authentication. To know more information about Extensible SSO, click here.

Extensible Single Sign-On with MDM

Mobile Device Manager Plus makes users' sign-in experience simpler with Extensible SSO which can be used to configure Identity Providers such as Microsoft SSO Plug-in, Okta FastPass etc. The user has to be authenticated using Kerberos extension or through Identity Providers. Once authenticated, users will not be prompted to authenticate for subsequent sign in. This configuration is applicable for devices running iOS/iPadOS 13.0 and above.

Profile Description 

Profile Specification Description
Extension type Select the extension type that should be used to authenticate users during sign in. This should be obtained from your Extension developer.
Credentials - Used for challenge response type authentication.
Redirect - Used for Modern Authentication such as OAuth, SAML etc.
Kerberos - Apple's native extension which authenticates users with Active Directory.
Extenson identifier Specify the Bundle identifier of the Extension app that performs Single Sign On. Example: com.apple.AppSSOKerberos.KerberosExtension. Obtain the Bundle identifier from the App developer.
Team identifier Enter the Team identifier of the app.
URLs If you have selected the extension type as Redirect, specify the URLs of your identity providers where the extension performs SSO.
Realm Specify the Realm for which authentication is to take place. If the Credential Extension Type is selected, obtain the Realm from the App developer. It is usually your DNS domain name but fully capitalized. For example, if your domain is zylker.com, your Kerberos Realm is ZYLKER.COM
Host Enter the domains that can be authenticated with the app extension. Ex: zylker.com
To allow wildcard domains add '.' before the domain name. Ex: .zylker.com
Exclude apps from SSO Select the apps which cannot use Single Sign On with the Authenticator app. You can select any app present on the device and/or the App Repository.
Note: Certain apps that use Safari to authenticate cannot be excluded from SSO. To block these apps, Safari must be blocked on the device.
Custom configuration To customize configurations based on your enterprise needs, collect the necessary values from your App developer and enclose the values with <dict> and </dict>. Refer to your identity provider for available options and example plist files.
Lock Screen behavior (Applicable only for iOS 15 and above) Define how the authentication should happen when the device is locked.
Cancel - This option will stop the SSO request automatically once the device is locked.
Do not handle request - This option will prevent the request from being sent to the Extension server.
Note: By default, the lock screen behavior will be 'Cancel'.

To know more about the above mentioned configurations, you can refer to the following documents

Common errors

  1. Same URLs in different profiles
    You cannot use the same URLs in multiple profiles. If you have configured same URL in more than one profile, then the second profile will not be applied to the device.
     
  2. Same hosts in different profiles
    You cannot use the same Hosts in multiple profiles. If you have configured same host in more than one profile, then the second profile will not be applied to the device.

 

Jump To