Single Sign-On Extension

Learn how to configure and deploy an Extensible Enterprise SSO Extension

What is a Single Sign-On Extension? 

A Single Sign-On (SSO) Extension is a type of application for macOS, or iOS, that leverages Apple's Extensible Enterprise Single Sign-On Framework. These applications, or extensions, allow for identity providers (IdPs) to build applications that allow for a seamless SSO experience across native macOS applications and browsers. This allows an end-user to sign in once to the extension, and be authenticated across macOS or iOS. SSO Extensions can also allow for synchronizing a user's local macOS password with their IdP password.

As of writing this article, no IdPs have released an SSO Extension for macOS, Microsoft has a pre-release version of their SSO Extension for iOS. 

How can I deploy a Single Sign-On Extension?

  • For iOS extensions, it is required to first deploy the app containing the SSO Extension via Apps and Books from Apple Business Manager.
  • For macOS extensions, it is required to first deploy the app containing the SSO Extension via Apps and Books from Apple Business Manager, or via a custom app in Kandji.
  • After deploying the extension, you will then configure and deploy a Single Sign-On profile to the devices. 

Configure a Single Sign-On Extension Profile 

  1. Navigate to Library in the left-hand navigation bar. 
  2. Click Add New, then select the Single Sign-On Extension profile.
  3. Under the extension details, the following options will be present:
    1. Extension Type: Credential or Redirect.
      This option refers to the type of SSO Extension. In most cases, the extension type will be Redirect
    2. Extension Identifier: In this option you will specify the Bundle ID of the SSO Extension. The Bundle ID can be found by inspecting the app's info.plist file.
    3. Realm: This option will only be displayed if the credential type is Credential. Typically this is in reference to a Kerberos realm when leveraging the Kerberos Extension. 
    4. Hosts: This option allows you to specify which host can be authenticated through the SSO Extension. An example would be an ADFS instance. 
    5. URLs: This option will only be displayed if the extension type is Redirect. This option allows you to specify the URL prefix that the SSO Extension will authenticate on behalf of.
  4. The Custom Configuration section allows you to specify a custom PLIST file to configure the SSO Extension. Please refer to your Identity Provider for available options and example  PLIST files. 

Configure a Single Sign-On Extension Profile for Apple's Kerberos Extension 

  1. Navigate to Library on the left-hand navigation bar. 
  2. Click Add New, then select the Single Sign-On Extension profile.
  3. Set the Extension Type to Kerberos.
  4. Set the Realm to the capitalized form of your Active Directory domain name. 
    (i.e. accuhive.io becomes ACCUHIVE.IO)
  5. Host can be left empty. If you have enterprise applications leveraging ADFS and ADFS is configured to accept Kerberos authentication, you can add the host to your ADFS server here. (i.e. adfs.accuhive.io)

  6. Under the Password Options section, you can configure all of the available Kerberos Extension options (such as syncing the local user password).