Extensible Single Sign-on MDM payload settings for Apple devices
Use the Extensible Single Sign-on payload to define extensions for multifactor user authentication on an iPhone, iPad, or Mac enrolled in a mobile device management (MDM) solution.
This extension is for use by identity providers to deliver a seamless experience as users sign in to apps and websites. When properly configured using MDM, the user authenticates once then gains access to subsequent native apps and websites automatically. The following other features can be used with the Extensible Single Sign-On payload when implemented by the developer:
iCloud Keychain
Multifactor authentication
Per-app VPN
User notification
In addition to providing the single sign-on extensions for third-party developers, iOS 13, iPadOS 13.1, and macOS 10.15 feature a built-in Kerberos extension that can be used to sign users in to native apps and websites that support Kerberos authentication.
The Extensible Single Sign-on payload supports the following. For more information, see Payload information.
Supported approval method: Requires user approval.
Supported installation method: Requires an MDM solution to install.
Supported payload identifier: com.apple.extensiblesso
Supported operating systems and channels: iOS, iPadOS, Shared iPad user, macOS device, macOS user, visionOS 1.1.
Supported enrollment types: User Enrollment, Device Enrollment, Automated Device Enrollment.
Duplicates allowed: True—only one Extensible Single Sign-on payload can be delivered to a user or device.
You can use the settings in the table below with the Extensible Single Sign-on payload.
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Preferred KDCs | The ordered list of preferred KDCs to use for Kerberos traffic. This key should be used if the servers aren’t discoverable using DNS. If servers are specified, they are used for connectivity checks and attempted first for Kerberos traffic. If the servers don’t respond, DNS discovery is used. Each entry is formatted the same as it would be in a krb5.conf file. | No | |||||||||
Extension identifier | The unique bundle ID for the app. | Yes | |||||||||
Team identifier | The unique team ID for the app. | Yes | |||||||||
Sign-on type |
| Yes | |||||||||
Authentication method macOS 13 or later | The Platform SSO authentication method the extension uses. Requires that the SSO extension also support the method.
| No | |||||||||
Registration token macOS 13 or later | The token this device uses for registration with Platform SSO. Use it for silent registration with the identity provider. Requires that Authentication Method not be empty. | No | |||||||||
Realm | The full Kerberos realm where the user’s account is located. This key is ignored for Redirect payloads. | No | |||||||||
Hosts | Approved domains that can be authenticated with the app extension. | No | |||||||||
URLs | Required for Redirect payloads. Ignored for Credential payloads. The URLs must begin with https:// or http://, the scheme and hostname are matched case insensitively, query parameters and URL fragments aren’t allowed, and the URLs of all installed Extensible SSO payloads must be unique. | No | |||||||||
Note: Each MDM vendor implements these settings differently. To learn how various Extensible Single Sign-on settings are applied to your devices and users, consult your MDM vendor’s documentation.