Extensible Single Sign-On

You can use the Extensible SSO policy settings to configure an app extension that performs single sign-on (SSO).

The Extensible SSO policy settings streamline the login experience for users logging into apps and websites through third-party identity management providers (IdPs) such as PingOne, IBM Security Verify, and Microsoft Azure AD. When properly configured using MDM, the user authenticates once and then gains access to subsequent native apps and websites automatically.
Note: Supported only on macOS 10.15+ devices.

Extensible Single Sign-on settings

Follow these steps to configure Extensible SSO policy settings in the MaaS360 portal:
  1. From the MaaS360 Portal Home page, navigate to Security > Policies.
  2. Open a macOS MDM policy.
  3. Navigate to Advanced > Extensible Single Sign On.
  4. Configure Extensible Single Sign-on settings. MaaS360 supports the following Extensible SSO settings that you can use to configure the app extensions for single sign-on:
    • Credentials
    • Kerberos
    • Redirect

    Credential settings

    Policy Setting Description Support Matrix
    Extension Identifier The unique bundle identifier of the app extension. macOS 10.15+
    Hosts The approved domains that can be authenticated with the app extension. macOS 10.15+
    Authentication Method The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method. macOS 13+
    Realm The realm name for Credential payloads.
    Note: Use proper capitalization for this value.
    		 macOS 10.15+
    Denied Bundle Identifiers The bundle identifiers of apps that don’t do not use SSO that is provided by this extension. macOS 12+
    Screen Locked Behavior If set to Cancel, the system cancels authentication requests when the screen is locked. If set to Do Not Handle, the request continues without SSO. This does not apply to requests where userInterfaceEnabled is set to false or background URLSession requests. macOS 12+
    Extension Data The data that is passed through to the app extension in the key-value format. For example, key1=value1, key2=value2. macOS 10.15+
    Team Identifier The team identifier of the app extension. macOS 10.15+

    Kerberos settings

    Policy setting Description Support Matrix
    Hosts Configure one or more host or domain names that the app extension performs SSO for. Enter the host names separated by commas separated. Hosts that begin with a “.” are wildcard suffixes and match all subdomain. Otherwise, the host must be an exact match. macOS 10.15+
    Realm The Kerberos realm should be properly capitalized. If the realm is in an Active Directory forest, this is the realm where the user logs in. macOS 10.15+
    Allow automatic login If set to true, allows automatic login.  
    Allow password change If set to true, password changes are allowed. macOS 10.15+
    Delay User Setup If set to true, does not prompt the user to set up the Kerberos extension until either the administrator enables it with the app-SSO tool or a Kerberos challenge is received. macOS 13+
    Monitor Credentials Cache If set to false, the credential is requested on the next matching Kerberos challenge or network state change. macOS 13+
    Include Kerberos Apps in Bundled ACL If set to true, the Kerberos extension allows the standard Kerberos utilities including TicketViewer and klist to access and use the credential. macOS 13+
    Credential Bundle ID ACL A list of bundle IDs allowed to access the ticket-granting ticket (TGT) macOS 10.15+
    Help Text for User The help information or disclaimer text that is displayed to the user at the bottom of the Kerberos login window. macOS 10.15+
    Include Managed Apps Bundle ID ACL If enabled, only managed apps can use the credentials. It This setting can be used with Credential Bundle ID ACL. macOS 10.15+
    Is Default Realm If enabled, this Realm acts as the default realm if there is more than one Kerberos extension configuration. macOS 10.15+
    Principal Name The principal (aka username) to use. You do not need to include the realm. macOS 10.15+
    Preferred KDCs The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers are not discoverable via DNS. If the servers are specified, then these servers are used for both connectivity checks and attempted first for Kerberos traffic. If the servers do not respond, then the device falls back to DNS discovery. Each entry is formatted the same as it would be in a krb5.conf file. macOS 10.15+
    Credential Use Mode The custom user name label used in the Kerberos extension instead of Username. For example, Company ID. macOS 10.15+
    Password Change URL This URL launches in the user’s default web browser when the user initiates a password change. macOS 10.15+
    Required Password Text The text version of the domain's password requirements. macOS 10.15+
    Password Notification Days The number of days prior to password expiration when a notification of password expiration is sent to the user. macOS 10.15+
    Required Password History The number of prior passwords that cannot be re-used on this domain. macOS 10.15+
    Required Password Length The minimum length of passwords on the domain. macOS 10.15+
    Required Password Minimum Age The minimum age of passwords before the password can be changed on this domain. macOS 10.15+
    Custom Username Label This setting affects how the Kerberos Extension credential is used by other processes. macOS 10.15+
    Required Password Complexity If true, passwords must meet Active Directory's definition of "complex". macOS 10.15+
    Require TLS For LDAP Require that LDAP connections use TLS. macOS 10.15+
    Perform Kerberos Only If true, the Kerberos Extension handles Kerberos requests only. This setting does not check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory. macOS 13+
    Use Site Auto Discovery If false, the Kerberos extension will not automatically use LDAP and DNS to determine its AD site name. macOS 10.15+
    Sync Local Password If false, disables password sync. This setting will not work if the user is logged in with a mobile account. macOS 10.15+
    Is User Authentication Required If true, requires the user to provide Touch ID, Face ID, or their passcode to access the keychain entry. macOS 10.15+
    Site Code The name of the Active Directory site the Kerberos extension should use. Most administrators never not need to modify this value, since the Kerberos extension can usually find the site automatically. macOS 10.15+

    Redirect settings

    Policy setting Description Support Matrix
    Extension Identifier The bundle identifier of the app extension. macOS 10.15+
    URLs Specify the URLs of installed Extensible SSO payloads. The URLs must begin with http:// or https:// and must be unique. macOS 10.15+
    Denied Bundle Identifiers Enter the bundle identifiers of apps that don’t do not use SSO provided by this extension. macOS 12+
    Screen Locked Behavior Specify the Screen Locked behavior. If set to Cancel, the system cancels authentication requests after the screen is locked. If set to Do Not Handle, the request continues without SSO. This setting does not apply to requests where userInterfaceEnabled is set to false or to background NSURLSession requests. macOS 12+
    Extension Data Specify the data that is passed through to the app extension in the key-value format: key1=value1,key2=value2. macOS 10.15+