Configure Extensible Single Sign-On Profile
The Single Sign-On profile enables administrators to set up an app extension that achieves single sign-on functionality on enrolled devices.
This profile is supported on macOS 10.15 or higher devices.
To configure an app extension that performs Single Sign-On on enrolled devices, follow these steps:
On the SureMDM Web Console, navigate to Profile > macOS > Add > Extensible Single Sign-On > Configure.
Enter a Profile Name and click Add.
In the SSO Configuration popup, configure the required options under the respective tab section.
SSO Configuration
| Settings | Description |
|---|---|
| Extension Identifier | Enter the bundle Id of the app extension that performs single sign-on for the specified URLs. |
| Team Identifier | Enter the unique team ID for the app and its extension. |
| Single Sign-On Type | Select the single sign-on type: Credential Two options will be displayed: - Host - Enter host or domain names for authentication and all the host/domain names of all installed Extensible SSO payloads must be unique across all installed Extensible SSO payloads. - Realm - Enter the full Kerberos realm where the user’s account is located. Redirect The following option will be displayed: - URLs - Enter the URLs to be used by the SSO Extension, must start with https:// or http://. |
| Denied Bundle Identifiers | Enter the Bundle Ids for apps that are restricted from using the SSO Extension. Requires macOS 12 or later. |
| Screen Locked Behavior | Set how the SSO Extension should handle requests when the screen is locked: Cancel - Stops authentication requests Do Not Handle - Allow requests without SSO. Requires macOS 12 or later. |
| ExtensionData | Enter a dictionary of arbitrary data to be passed to the app extension as key-value pairs. |
Platform SSO Configuration
| Setting | Description |
|---|---|
| Enable Platform SSO | If checked, the system will enable the Platform SSO Configuration. |
| Authentication Method | Specify the Platform SSO authentication method to use with the extension. Requires that the SSO Extension also support the method. Password User Secure Enclave Key |
| Login Frequency | Enter the duration, in hours, until the system requires a full login instead of a refresh. The minimum value is 1 hour and the default value is 18 hours. |
| Use Shared Device Keys | If checked, the system uses the same signing and encryption keys for all users. Only supported on the device channel. |
| Create User at Login | If checked, enables creating users at the login window with an Authentication Method of Password. Requires that Use Shared Device Keys is enabled. Applicable only if the Authentication Method is set as Password and Use Shared Device Keys is checked. |
| New User Authorization Mode | Specify the authorization mode of the new user. Standard Info: The user account will receive Standard-level permissions upon each authentication. Admin Info: The user account will receive Admin-level permissions upon each authentication. Temporary Info: The system uses a temporary session configuration for newly created accounts at login. |
| User Authorization Mode | Specify the authorization mode of the user. Not Configured Info: User Authorization Mode will not be configured. Standard Info: The user account will receive Standard-level permissions upon each authentication. Admin Info: The user account will receive Admin-level permissions upon each authentication. |
| Login Policy | The policy to apply when using Platform SSO at the login window. Applies when Platform SSO Authentication Method is Password. |
| New User Authentication Methods | Specify the set of authentication methods to use for newly created accounts at login or during Setup Assistant. Not Configured Password |
Platform SSO is supported only on macOS 14.0 and above.
The added configuration will reflect in the table section.
Click Save.
The newly created profile will be listed in the Profiles section.
Go back to the Home tab and select the macOS device(s) or group(s).
Click Apply to launch Apply Job/Profile To Device prompt.
In the Apply Job/Profile To Device prompt, select the created profile and click Apply.