Extensible Single Sign-On

Extensible Single Sign-On is an Apple feature that allows you to configure single sign-on for users accessing enterprise resources from iOS and macOS devices that are registered with Ivanti EPMM. The extension can be used by identity providers to deliver a seamless experience as users sign in to enterprise resources. App users on the device need to authenticate once. The initial user authentication can be done using enterprise credentials or through an identity provider (IdP) setup. User are not prompted for authentication for subsequent access.

This configuration does not require an Ivanti Tunnel or a Sentry deployment.

  • An app, also referred to as an app extension, that performs the SSO is required.

  • If you are configuring an identity provider (IdP), the IdP must have an app extension.

    • The Extensible Single Sign-On configuration is supported with ADFS.

  • The feature is supported with iOS 13.0 ad macOS 10.15 or supported newer versions.

You configure Extensible Single Sign-On on the Admin Portal. Go to Policies & Configs > Configurations > Apple > iOS / macOS / tvOS > Extensible Single Sign-On. To distribute the configuration, save and apply it to a label that contains the target devices.

Extensible Single Sign-on requires an identity provide (IdP) app extension. Please refer to the vendor-specific documentation for setup procedures.

The following table describes the fields and settings in the configuration.

Table 111.  Extensible Single Sign-On field description

Item

Description

Name

Enter a name that identifies this configuration.

Description

Enter a description that clarifies the purpose of this configuration.

Channel

The Channel options are applicable to macOS only.

Select one of the following:

  • User: Select to apply to only specific users on the device.

  • Device: Select to apply to all users on the device.

The User option is not supported on macOS 10.15 devices .

Extensible Single Sign-On

Choose SSO Type

Select the initial sign on method.

  • Credentials: Select this option if the initial authentication method uses your enterprise credentials.

  • Redirect: Select this option if the enterprise resource uses an identity provider to authenticate users.

Host

If you select Credentials as the SSO Type, enter one or more host names or domain names that can be authenticated through the app extension.

Host or domain name matching is not case sensitive. The host and domain names must be unique. Hosts that begin with a “.” are wildcard suffixes. Wildcard suffixes will match all sub-domains. Otherwise, the host or domain name must be an exact match.

URL

If you select Redirect as the SSO Type, enter one or more URL prefixes of identity providers where the app extension performs SSO.

The URLs must begin with http:// or https://. The scheme and host name matching is not case sensitive. Do not use query parameters and URL fragments. The URLs must be unique.

Extension Identifier

Enter the bundle ID of the app extension that performs the single sign-on for the specified URLs.

Team Identifier

Enter the team identifier of the app extension.

The team identifier is required on macOS. However, it is ignored on iOS.

Realm

If you select Credentials as the SSO Type, enter the realm name.

The realm name is case sensitive and must be an exact match.

Custom Data

Enter one or more custom data as key-value pairs.

If you are configuring an identity provider (IdP), the IdP must have an app extension. Please refer to the vendor-specific documentation for setup procedures.