Single Sign-On Configuration

Ivanti Neurons for MDM enables Extensible Single Sign-On (SSO) with the Extensible SSO and Extensible SSO Kerberos configurations. The implementation requires an app extension, such as Microsoft Authenticator, from the identity provider. With an Extensible SSO implementation, users need to only authenticate once when accessing enterprise resources. Users are not prompted to authenticate for subsequent logins. For information about setup information for the intended identity provider, see Configure Identity Provider.

This section contains the following topics:

Single sign-on account settings
Extensible single sign-on account settings
Extensible single sign-on Kerberos account settings

Single sign-on account settings

Applicable to: iOS 7.0 through the most recently released version as supported by Ivanti Neurons for MDM.

Use the following settings to configure Kerberos-based enterprise SSO for any managed app and Apple Safari browser on iOS devices.

This configuration requires Tunnel and Sentry. For more information, see "Setting up single sign-on with Kerberos" in the Tunnel for iOS Guide.

Setting	Description
Name	Enter a name that identifies this configuration.
Description	Enter a description that clarifies the purpose of this configuration.
User name	Enter the Kerberos principal name.
Kerberos realm name	Enter the Kerberos realm name.
Certificate	For iOS 8 with Gold license: Select the certificate to use to renew the Kerberos credential.
URL prefixes matches	List of URLs prefixes that must be matched in order to use this account for Kerberos authentication over HTTP.
Allowlist Applications for SSO	Add apps from the App Catalog to Allowlist them for SSO. For example, enter "Safari" to add Apple Safari. If no apps are Allowlisted for SSO using a configuration of this type, all apps that support iOS SSO can utilize SSO, including built-in iOS apps.

Extensible single sign-on account settings

Applicable to:

iOS 13.0 through the most recently released version as supported by Ivanti Neurons for MDM.
macOS 10.15 through the most recently released version as supported by Ivanti Neurons for MDM.

Use the following settings to configure the SSO extension profile with the generic extension type to enable SSO for native apps and websites with various authentication methods.

Extensible SSO does not work when the configuration is pushed in the user channel for macOS 10.15.x devices.

Setting	Description
Name	Enter a name that identifies this configuration.
Description	Enter a description that clarifies the purpose of this configuration.
Choose SSO type	Select one of the following SSO types: Credentials Enter one or more Host names or domain names that can be authenticated through the app extension. Host or domain names are matched case-insensitively, and all the host/domain names of all installed Extensible SSO payloads must be unique. Hosts that begin with a “.” are wildcard suffixes and will match all subdomains, otherwise the host must be an exact match. Enter the Realm name. This value should be properly capitalized. Redirect Enter one or more URL prefixes of identity providers where the app extension performs SSO. The URLs must begin with http:// or https://, the scheme and host name are matched case-insensitively, query parameters and URL fragments are not allowed, and the URLs of all installed Extensible SSO payloads must be unique.
Extension Identifier	Enter the bundle identifier of the app extension that performs SSO for the specified URLs.
Team Identifier	The team identifier of the app extension. This key is required on macOS and ignored elsewhere.
Custom Data	Enter one or more custom data as key-value pairs.
Authentication Method (Applicable only for macOS 13+)	Password User Secure Enclave Key
Registration Token	Enter the token. This field is enabled once you select one of the Authentication Methods.

Extensible single sign-on Kerberos account settings

Applicable to:

iOS 13.0 through the most recently released version as supported by Ivanti Neurons for MDM.
macOS 10.15 through the most recently released version as supported by Ivanti Neurons for MDM.

Use the following settings to configure an app extension that performs SSO with Kerberos extension.

Extensible SSO Kerberos does not work when the configuration is pushed in the user channel for macOS 10.15.x devices.

Setting	Description
Basic Settings
Name	Enter a name that identifies this configuration.
Description	Enter a description that clarifies the purpose of this configuration.
User name	Enter the Kerberos principal name.
Realm	Enter the Kerberos realm name.
Certificate	Select the certificate to use to renew the Kerberos credential.
URL Prefixes	List of URLs prefixes that must be matched in order to use this account for Kerberos authentication over HTTP.
Advanced Settings
Allow Automatic Login	If false, passwords are not allowed to be saved to the keychain. By default, this option is enabled.
Delay User Setup	If true, doesn’t prompt the user to setup the Kerberos extension until either the administrator enables it with the app-sso tool or a Kerberos challenge is received. This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM.
Require User Presence	If true, requires the user to provide Touch ID, Face ID, or their passcode to access the keychain entry.
Monitor Credential Cache	If false, the credential is requested on the next matching Kerberos challenge or network state change. If the credential is expired or missing, a new one will be created. This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM. By default, this option is enabled.
Cache Name	Enter the Generic Security Service (GSS) name of the Kerberos cache to use. This option is now deprecated.
Domain Realm Mapping	Enter the name of the realm as the key. The value is an array of DNS suffixes that map to the realm. Click + Add to add one or more key-value pairs.
Default Realm	This property specifies the default realm if there is more than one Kerberos extension configuration.
Use Site Auto Discovery	If false, the Kerberos extension doesn't automatically use LDAP and DNS to determine its AD site name. By default, this option is enabled.
Site Code	Enter the name of the Active Directory site the Kerberos extension should use.
Replication Time	Enter the time, in seconds, required to replicate changes in the Active Directory domain. The Kerberos extension will use this when checking password age after a change. This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM. This option is now deprecated.
Credential Bundle ID ACL	Click + Add to add a list of bundle IDs allowed to access the Ticket Granting Ticket (TGT) for authentication.
Include Managed Apps in Bundle ID ACL	If true, the Kerberos extension will allow only managed apps to access and use the credential. This is in addition to the Credential Bundle ID ACL, if it is specified. This option is applicable to iOS 14 or supported newer versions of Ivanti Neurons for MDM.
Include Kerberos Apps in Bundled ID ACL	If true, the Kerberos extension allows the standard Kerberos utilities including Ticket Viewer and klist to access the use the credential. Available in macOS 12 and later.
Custom Username Label	Enter the custom user name label used in the Kerberos extension instead of "Username." For example, "Company ID." This option is applicable to macOS 11 through the latest version as supported by Ivanti Neurons for MDM.
Help Text	Enter the text to be displayed to the user at the bottom of the Kerberos login window. It can be used to display help information or disclaimer text. This option is applicable to iOS 14 and macOS 11 through the latest version as supported by Ivanti Neurons for MDM.
Credential Use Mode	This setting affects how the Kerberos Extension credential is used by other processes. Use one of the following: Always (default) - The extension credential will always be used if the service principal name (SPN) matches the Kerberos Extension Hosts array. The credential will not be used if the calling app is not in credentialBundleIDACL. When Not Specified - The credential will only be used when another credential has not been specified by the caller and the SPN matches the Kerberos Extensions Hosts array. The credential will not be used if the calling app is not in credentialBundleIDACL. Kerberos Default - The default Kerberos processes for selecting credentials is used which normally uses the default Kerberos credential. This is the same as turning off this capability. (Optional) Select Require TLS for LDAP.
Preferred Key Distribution Centers	Add Preferred Key Distribution Centers. Click +Add to add a preferred KDC.
	Allow Platform SSO Auth Fallback - If True and if Use Platform SSO TGT is true, allows the user to manually sign in. Available in macOS 13 and later
	Perform Kerberos Only - If True, the Kerberos extension handles Kerberos requests only. Available in macOS 13 and later.
	Use Platform SSO TGT - If True, this configuration uses a TGT from Platform SSO instead of requesting a new one. Available in macOS 13 and later.
Password Settings
Allow Password Change	If false, disables password changes. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. By default, this option is enabled.
Password Change URL	Enter the URL to be launched in the user’s default web browser when they initiate a password change. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.
Allow Password Complexity	If true, passwords must meet Active Directory's definition of "complex." This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.
Minimum Password Length	Enter the minimum length (in characters) of passwords on the domain. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.
Password Expiry Notification	Enter the number of days prior to password expiration when a notification of password expiration will be sent to the user. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. The default value is 15 days.
Password Expiry Override	Enter the number of days that passwords can be used on this domain. For most domains, this can be calculated automatically. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM. (This option is now deprecated)
Password Required Text	Enter the text version of the domain's password requirements. Only for use if pwReqComplexity or pwReqLength aren’t specified. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.
Password History Count	Enter the number of prior passwords that cannot be re-used on this domain. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.
Password Minimum Age	Enter the minimum age (in days) of passwords before they can be changed on this domain. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.
Allow Syncing Local Password	If false, disables password sync. This will not work if the user is logged in with a mobile account. This option is applicable to macOS 10.15 through the latest version as supported by Ivanti Neurons for MDM.

For more information, see How to create a configuration