Single Sign-On Configuration
Ivanti Neurons for MDM enables Extensible Single Sign-On (SSO) with the Extensible SSO and Extensible SSO Kerberos configurations. The implementation requires an app extension, such as Microsoft Authenticator, from the identity provider. With an Extensible SSO implementation, users need to only authenticate once when accessing enterprise resources. Users are not prompted to authenticate for subsequent logins. For information about setup information for the intended identity provider, see Configure Identity Provider.
This section contains the following topics:
Single sign-on account settings
Applicable to:
- iOS 7.0 through the most recently released version as supported by Ivanti Neurons for MDM.
-
visionOS 1.1 through the most recently released version as supported by by Ivanti Neurons for MDM.
Use the following settings to configure Kerberos-based enterprise SSO for any managed app and Apple Safari browser on iOS devices.
This configuration requires Tunnel and Sentry. For more information, see "Setting up single sign-on with Kerberos" in the Tunnel for iOS Guide.
Setting |
Description |
---|---|
Name |
Enter a name that identifies this configuration. |
Description |
Enter a description that clarifies the purpose of this configuration. |
User name |
Enter the Kerberos principal name. |
Kerberos realm name |
Enter the Kerberos realm name. |
Certificate |
For iOS 8 with Gold license: Select the certificate to use to renew the Kerberos credential. |
URL prefixes matches |
List of URLs prefixes that must be matched in order to use this account for Kerberos authentication over HTTP. |
Allowlist Applications for SSO |
Add apps from the App Catalog to Allowlist them for SSO. For example, enter "Safari" to add Apple Safari. If no apps are Allowlisted for SSO using a configuration of this type, all apps that support iOS SSO can utilize SSO, including built-in iOS apps. |
Extensible single sign-on account settings
Applicable to:
-
iOS 13.0 through the most recently released version as supported by Ivanti Neurons for MDM.
-
macOS 10.15 through the most recently released version as supported by Ivanti Neurons for MDM.
-
visionOS 1.1 through the most recently released version as supported by by Ivanti Neurons for MDM.
Use the following settings to configure the SSO extension profile with the generic extension type to enable SSO for native apps and websites with various authentication methods.
Extensible SSO does not work when the configuration is pushed in the user channel for macOS 10.15.x devices.
Setting |
Description |
---|---|
Name |
Enter a name that identifies this configuration. |
Description |
Enter a description that clarifies the purpose of this configuration. |
Choose SSO type |
Select one of the following SSO types:
|
Extension Identifier |
Enter the bundle identifier of the app extension that performs SSO for the specified URLs. |
Team Identifier |
The team identifier of the app extension. This key is required on macOS and ignored elsewhere. |
Custom Data |
Enter one or more custom data as key-value pairs. |
Authentication Method (Applicable only for macOS 13+) |
|
Registration Token |
Enter the token. This field is enabled once you select one of the Authentication Methods. |
Screen Locked Behavior (applicable for iOS 15.0+ and macOS 12.0+) |
Select one of the following options:
|
Denied Bundle Identifiers (applicable for iOS 15.0+ and macOS 12.0+) |
Add multiple bundle identifiers of apps that do not use the SSO provided by this extension. For example, com.company.appname.www. |
Applicable to: macOS 14.0 through the most recently released version as supported by Ivanti Neurons for MDM.
Setting |
Description |
---|---|
Account Display Name |
Enter a name for the account that displays in notifications and authentication requests. |
Additional Groups |
Enter the name of the groups that will not have administrator access. |
Administrator Groups |
Enter the name of the group that has administrator access. |
Authentication Method |
Select one of the authentication methods from the drop-down list:
|
Authorization Groups |
Enter the authorization right for a group name. |
Enable Authorization |
Select the checkbox to enable authorization prompts for administrator groups, authorization groups, or additional groups. |
Enable Create User At Login |
Select the checkbox to enable the creation of new users during login by using a password or smart card as an authentication method. |
Login Frequency |
The duration, in seconds, until the system requires a full login instead of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600 (1 hour). |
New User Authorization Mode |
Select one of the authorization modes for a new user from the drop-down list:
|
Token To User Mapping |
Enter the account name and the full name of the new users to map them for authorization. |
User Authorization Mode |
Select one of the authorization modes for a user from the drop-down list:
|
Use Shared Device Keys |
Select the check box to enable the same login and encryption keys for all users. |
Applicable to: macOS 14.0 through the most recently released version as supported by Ivanti Neurons for MDM.
To view the Extensible single sign-on account settings, select the drop-down option as Password in the Authentication Method field.
Setting |
Description |
---|---|
FileVault Policy |
Enable the policy to view the following settings:
|
Login Policy |
Enable the policy to view the following settings:
|
Unlock Policy |
Enable the policy to view the following settings:
|
Authentication Grace Period |
Enter the amount of time after selecting one of the policies to use unregistered local accounts. If you select the Allow Authentication Grace Period checkbox in one of the policies, it becomes a mandatory field. |
Offline Grace Period |
Enter the amount of time after selecting one of the policies to use an offline local account password after a successful Platform SSO login. If you select the Allow Offline Grace Period checkbox in one of the policies, it becomes a mandatory field. |
Non Platform SSO Accounts |
Select + Add to enter the list of usernames that are not subjected to FileVault, Login, or Unlock policies. |
Extensible single sign-on Kerberos account settings
Applicable to:
-
iOS 13.0 through the most recently released version as supported by Ivanti Neurons for MDM.
-
macOS 10.15 through the most recently released version as supported by Ivanti Neurons for MDM.
-
visionOS 1.1 through the most recently released version as supported by by Ivanti Neurons for MDM.
Use the following settings to configure an app extension that performs SSO with Kerberos extension.
Extensible SSO Kerberos does not work when the configuration is pushed in the user channel for macOS 10.15.x devices.
Setting |
Description |
---|---|
Basic Settings |
|
Name |
Enter a name that identifies this configuration. |
Description |
Enter a description that clarifies the purpose of this configuration. |
User name |
Enter the Kerberos principal name. |
Realm |
Enter the Kerberos realm name. |
Certificate |
Select the certificate to use to renew the Kerberos credential. |
URL Prefixes |
List of URLs prefixes that must be matched in order to use this account for Kerberos authentication over HTTP. |
Advanced Settings |
|
Allow Automatic Login |
If false, passwords are not allowed to be saved to the keychain. By default, this option is enabled. |
Delay User Setup |
If true, doesn’t prompt the user to setup the Kerberos extension until either the administrator enables it with the app-sso tool or a Kerberos challenge is received. This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM. |
Require User Presence | If true, requires the user to provide Touch ID, Face ID, or their passcode to access the keychain entry. |
Monitor Credential Cache |
If false, the credential is requested on the next matching Kerberos challenge or network state change. If the credential is expired or missing, a new one will be created. This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM. By default, this option is enabled. |
Cache Name |
Enter the Generic Security Service (GSS) name of the Kerberos cache to use. This option is now deprecated. |
Domain Realm Mapping |
Enter the name of the realm as the key. The value is an array of DNS suffixes that map to the realm. Click + Add to add one or more key-value pairs. |
Default Realm |
This property specifies the default realm if there is more than one Kerberos extension configuration. |
Use Site Auto Discovery |
If false, the Kerberos extension doesn't automatically use LDAP and DNS to determine its AD site name. By default, this option is enabled. |
Site Code |
Enter the name of the Active Directory site the Kerberos extension should use. |
Replication Time |
Enter the time, in seconds, required to replicate changes in the Active Directory domain. The Kerberos extension will use this when checking password age after a change. This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM. This option is now deprecated. |
Credential Bundle ID ACL |
Click + Add to add a list of bundle IDs allowed to access the Ticket Granting Ticket (TGT) for authentication. |
Include Managed Apps in Bundle ID ACL |
If true, the Kerberos extension will allow only managed apps to access and use the credential. This is in addition to the Credential Bundle ID ACL, if it is specified. This option is applicable to iOS 14 or supported newer versions of Ivanti Neurons for MDM. |
Include Kerberos Apps in Bundled ID ACL |
If true, the Kerberos extension allows the standard Kerberos utilities including Ticket Viewer and klist to access the use the credential. Available in macOS 12 and later. |
Custom Username Label |
Enter the custom user name label used in the Kerberos extension instead of "Username." For example, "Company ID." This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM. |
Help Text |
Enter the text to be displayed to the user at the bottom of the Kerberos login window. It can be used to display help information or disclaimer text. This option is applicable to iOS 14 and macOS 11 through the latest version as supported by Ivanti Neurons for MDM. |
Credential Use Mode |
This setting affects how the Kerberos Extension credential is used by other processes. Use one of the following:
(Optional) Select Require TLS for LDAP. |
Preferred Key Distribution Centers
|
Add Preferred Key Distribution Centers. Click +Add to add a preferred KDC. |
Allow Platform SSO Auth Fallback - If True and if Use Platform SSO TGT is true, allows the user to manually sign in. Available in macOS 13 and later |
|
Perform Kerberos Only - If True, the Kerberos extension handles Kerberos requests only. Available in macOS 13 and later. |
|
Use Platform SSO TGT - If True, this configuration uses a TGT from Platform SSO instead of requesting a new one. Available in macOS 13 and later. |
|
Configure Switch to Password mode |
If True, allows the user to switch the user interface to Password mode. Available in macOS 15 and later. |
Configure Switch to Smart Card mode |
If True, allows the user to switch the user interface to SmartCard mode. Available in macOS 15 and later. |
Configure Start in Smart Card mode |
If True, the user interface starts in SmartCard mode. Available in macOS 15 and later. |
Identity Issuer Auto Select Filter |
Filters the list of available Smart Cards. Available in macOS 15 and later. |
Password Settings | |
Allow Password Change |
If false, disables password changes. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. By default, this option is enabled. |
Password Change URL |
Enter the URL to be launched in the user’s default web browser when they initiate a password change. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. |
Allow Password Complexity |
If true, passwords must meet Active Directory's definition of "complex." This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. |
Minimum Password Length |
Enter the minimum length (in characters) of passwords on the domain. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. |
Password Expiry Notification |
Enter the number of days prior to password expiration when a notification of password expiration will be sent to the user. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. The default value is 15 days. |
Password Expiry Override |
Enter the number of days that passwords can be used on this domain. For most domains, this can be calculated automatically. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. (This option is now deprecated) |
Password Required Text |
Enter the text version of the domain's password requirements. Only for use if pwReqComplexity or pwReqLength aren’t specified. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. |
Password History Count |
Enter the number of prior passwords that cannot be re-used on this domain. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. |
Password Minimum Age |
Enter the minimum age (in days) of passwords before they can be changed on this domain. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. |
Allow Syncing Local Password |
If false, disables password sync. This will not work if the user is logged in with a mobile account. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. |
Password Requirement RTF data |
RTF file formatted version of the domain’s password requirements. Available in macOS 15 and later. Only for use if pwReqComplexity or pwReqLength are not specified. |
For more information, see How to create a configuration