Single Sign-On Extension

By Jordan Moore

Learn how to configure and deploy an Extensible Enterprise SSO extension

What Is a Single Sign-On Extension?

A Single Sign-On (SSO) extension is a type of application for macOS or iOS that leverages Apple's Extensible Enterprise Single Sign-on framework. These applications, or extensions, let identity providers (IdPs) build applications that allow for a seamless SSO experience across native macOS applications and browsers. This allows an end user to sign in once to the extension and be authenticated across macOS or iOS. SSO extensions can also allow for synchronizing a user's local macOS password with their IdP password.

How Can I Deploy a Single Sign-On Extension?

  • For iOS extensions, it is required to first deploy the app containing the SSO extension via Apps and Books from Apple Business Manager.
  • For macOS extensions, it is required to first deploy the app containing the SSO extension via Apps and Books from Apple Business Manager or via a custom app in Kandji.
  • After deploying the extension, you will then configure and deploy a Single Sign-On profile to the devices.

Configure a Single Sign-On Extension Profile

  1. Navigate to Library in the left-hand navigation bar. 
  2. Click Add New, then select the Single Sign-On Extension profile.
  3. Under the extension details, the following options are available:
    1. Extension Type: Credential, Redirect
      This option refers to the type of SSO extension. In most cases, the extension type will be Redirect
    2. Extension Identifier: In this option, you specify the Bundle ID of the SSO extension. The Bundle ID can be found by inspecting the app's info.plist file.
    3. Team Identifier: The team identifier of the app extension that performs single sign-on. Required if the extension will be assigned to macOS devices.
    4. Realm: This option will be displayed only if the credential type is Credential. Typically this is in reference to a Kerberos realm when leveraging the Kerberos extension. 
    5. Hosts: This option allows you to specify which host can be authenticated through the SSO extension. An example would be an ADFS instance. 
    6. URLs: This option will only be displayed if the extension type is Redirect. This option allows you to specify the URL prefix on behalf of which the SSO extension will authenticate.

Configure a Single Sign-On Extension Profile for Apple's Kerberos Extension 

  1. Navigate to Library on the left-hand navigation bar. 
  2. Click Add New, then select the Single Sign-On Extension profile.
  3. Set the Extension Type to Kerberos.
  4. Under the extension details, the following options are available
    1. Realm: Set the Realm to the capitalized form of your Active Directory domain name (i.e. accuhive.io becomes ACCUHIVE.IO)
    2. Hosts: This can be left empty. If you have enterprise applications leveraging ADFS, and ADFS is configured to accept Kerberos authentication, you can add the host to your ADFS server here. (i.e. adfs.accuhive.io)
  5. Under the Password Options section, you can configure all of the available Kerberos extension options (such as syncing the local user password).