Extensible Single Sign-On

Extensible Single Sign-On is an Apple feature that allows you to configure single sign-on for users accessing enterprise resources from iOS and macOS devices that are registered with Ivanti EPMM. The extension can be used by identity providers to deliver a seamless experience as users sign in to enterprise resources. App users on the device need to authenticate once. The initial user authentication can be done using enterprise credentials or through an identity provider (IdP) setup. User are not prompted for authentication for subsequent access.

This configuration does not require an Ivanti Tunnel or a Sentry deployment.

  • An app, also referred to as an app extension, that performs the SSO is required.

  • If you are configuring an identity provider (IdP), the IdP must have an app extension.

    • The Extensible Single Sign-On configuration is supported with ADFS.

  • The feature is supported with iOS 13.0 ad macOS 10.15 or supported newer versions.

You configure Extensible Single Sign-On on the Admin Portal. Go to Policies & Configs > Configurations > Apple > iOS / macOS / tvOS > Extensible Single Sign-On. To distribute the configuration, save and apply it to a label that contains the target devices.

Extensible Single Sign-on requires an identity provide (IdP) app extension. Please refer to the vendor-specific documentation for setup procedures.

The following table describes the fields and settings in the configuration.

Table 116.  Extensible Single Sign-On field description

Item

Description

Name

Enter a name that identifies this configuration.

Description

Enter a description that clarifies the purpose of this configuration.

Channel

The Channel options are applicable to macOS only.

Select one of the following:

  • User: Select to apply to only specific users on the device.

  • Device: Select to apply to all users on the device.

The User option is not supported on macOS 10.15 devices .

Extensible Single Sign-On

Choose SSO Type

Select the initial sign on method.

  • Credentials: Select this option if the initial authentication method uses your enterprise credentials.

  • Redirect: Select this option if the enterprise resource uses an identity provider to authenticate users.

Host

If you select Credentials as the SSO Type, enter one or more host names or domain names that can be authenticated through the app extension.

Host or domain name matching is not case sensitive. The host and domain names must be unique. Hosts that begin with a “.” are wildcard suffixes. Wildcard suffixes will match all sub-domains. Otherwise, the host or domain name must be an exact match.

URL

If you select Redirect as the SSO Type, enter one or more URL prefixes of identity providers where the app extension performs SSO.

The URLs must begin with http:// or https://. The scheme and host name matching is not case sensitive. Do not use query parameters and URL fragments. The URLs must be unique.

Extension Identifier

Enter the bundle ID of the app extension that performs the single sign-on for the specified URLs.

Team Identifier

Enter the team identifier of the app extension.

The team identifier is required on macOS. However, it is ignored on iOS.

Realm

If you select Credentials as the SSO Type, enter the realm name.

The realm name is case sensitive and must be an exact match.

Custom Data

Enter one or more custom data as key-value pairs.

Configure Platform SSO (macOS 14+)

Select the checkbox to enable the 12 fields below.

Use Shared Device Keys (Boolean)

Select the checkbox, the system uses the same signing and encryption keys for all users.

Enable Authorization (Boolean)

Select the checkbox to enable using identity provider accounts at authorization prompts. It requires that Use Shared Device Keys must be selected. The system assigns groups using AdministratorGroups, AdditionalGroups, or AuthorizationGroups.

Enable Create User At Login

Select the checkbox to enable creating new users at the login window with an Authentication Method of either Password or SmartCard. It requires that Use Shared Device Keys must be selected.

Account Display Name (String)

Enter the display name for the account in notifications and authentication requests.

Additional Groups (String)

Enter the list of created groups that don’t have administrator access.

Administrator Groups (String)

Enter the list of groups to use for administrator access. The system requests membership during authentication.

Authentication Method (String)

The Platform SSO authentication method to use with the extension. It requires that the SSO Extension also support the method.

Possible Values: Password, UserSecureEnclaveKey, SmartCard

Authorization Groups

Enter authorization rights that are associated with group names. When the group is used, the system modifies the authorization right to use it.

Login Frequency (Integer)

The duration is in seconds until the system requires a full login instead of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600 (1 hour).

Default: 64800

Minimum Value: 3600

New User Authorization Mode (String)

Permission to apply to newly created accounts at login.

Allowed values:

Standard: The account is for a standard user.

Admin: The system adds the account to the local administrator group.

Groups: The system assigns groups to the account using AdministratorGroups, AdditionalGroups, or AuthorizationGroups.

Token To User Mapping

The attribute mapping to use when creating new users or for authorization.

User Authorization Mode

Select one of the authorization modes for a user from the drop-down list:

  • Standard: The account is for a standard user.

  • Admin: The system adds the account to the local administrator’s group.

  • Groups: The system automatically groups the new user under the administrator group, authorization group, or additional group.

Authentication Grace Period

Enter the amount of time after selecting one of the policies to use unregistered local accounts.

FileVault Policy

Select one of the policies from the drop-down list:

  • Attempt Authentication

  • Require Authentication

  • Allow Offline Grace Period

  • Allow Authentication Grace Period

Login Policy

Select one of the policies from the drop-down list:

  • Attempt Authentication

  • Require Authentication

  • Allow Offline Grace Period

  • Allow Authentication Grace Period

Non-Platform SSO Accounts

Enter the list of usernames that are not subjected to FileVault, Login, or Unlock policies.

Offline Grace Period

Enter the amount of time after selecting one of the policies to use an offline local account password after a successful Platform SSO login.

Unlock Policy

Select one of the policies from the drop-down list:

  • Attempt Authentication

  • Require Authentication

  • Allow Offline Grace Period

  • Allow Authentication Grace Period

  • Allow TouchID Or Watch For Unlock

Screen Locked Behavior

(applicable for iOS 15.0+ and macOS 12.0+)

Select one of the following options:

  • Cancel: The system cancels authentication requests when the screen is locked.

  • Do Not Handle: The authentication request continues without SSO when the screen is locked.

Denied Bundle Identifiers

(applicable for iOS 15.0+ and macOS 12.0+)

Add multiple bundle identifiers of apps that do not use the SSO provided by this extension. For example, com.company.appname.www.

If you are configuring an identity provider (IdP), the IdP must have an app extension. Please refer to the vendor-specific documentation for setup procedures.