With enterprise single sign-on (SSO) with Kerberos, device users can log into your internal backend resources without having to re-enter their enterprise credentials. Creating a single sign-on account configuration is part of a larger configuration to set up single sign-on using Kerberos. The single sign-on setup using Kerberos requires Standalone Sentry and Ivanti Tunnel.
This setting does not apply to tvOS devices.
When you configure enterprise SSO, you specify the URLs of the backend resources that the device user can access using SSO. The backend resource must support Kerberos based authentication.You can also specify bundle IDs (app IDs). If you specify any bundle IDs, then only the specified apps use enterprise SSO when accessing the specified URLs. If you specify no bundle IDs, then all apps that support enterprise SSO use it when accessing the specified URLs.
When you configure enterprise SSO, you can optionally specify an identity certificate. The app uses this certificate to authenticate the device user to a backend resource when the Kerberos ticket has expired. Once authenticated, the Kerberos ticket is silently renewed.
If you do not provide an identity certificate, the device user is prompted to enter a user ID and password when the Kerberos ticket has expired. Therefore, providing an identity certificate results in a better device user experience.
For a complete set of configuration tasks for setting up enterprise single sign-on using Kerberos, and for a description of the fields in the single sign-on account configuration, see the Ivanti Tunnel for iOS Guide.