Category filter
Configure Extensible SSO on iOS devices
Single Sign-On (SSO) provides a seamless authentication process for the devices at your workplace allowing users to access enterprise applications and websites without having to re-enter their credentials.
Extensible Single Sign-On (SSO) allows organizations to expand their single sign-on capabilities to Apple devices, supporting allowing users to sign in to a wider range of applications, websites and services—even those that do not natively support SSO. By integrating SSO extensions from third-party identity providers (IdPs) like Okta or Microsoft Entra ID, as well as Apple’s built-in Kerberos extension, organizations can enhance security and streamline the user experience by reducing the need for repeated logins.
- Extensible SSO is supported on iOS devices running version 13 or later.
- Once authenticated using through Kerberos extension or third-party IdPs, users will not be prompted to authenticate for subsequent sign in.
Setting up Extensible SSO
Here’s how you can set up and configure extensible SSO on your iOS device from the Hexnode portal:
- Log in to your Hexnode UEM portal.
- Navigate to the Policies tab.
- Click on New Policy to create a new policy and enter the policy name and description (optional) in the provided fields. You can also choose an existing policy.
- Go to iOS > Security and select Extensible SSO. Then, click Configure.
- Select the SSO extension type. There are three types to choose from:
- Credential: Used for challenge/response authentication scenarios.
- Redirect: Used for modern authentication protocols like OAuth, SAML,2 or OpenID Connect.
- Kerberos: Apple’s built-in extension is used in environments that support Kerberos authentication.
- Under the field Extension Identifier, specify the bundle identifier for the app extension that handles SSO. For example, com.okta.mobile.auth-service-extension.
The app extension communicates with the Identity Providers (IdP) to perform the authentication flow for Single Sign-On (SSO) in the devices.
You will need to configure the following settings for each extension type, depending on the one you choose:
1. Credential
| Settings | Description |
|---|---|
| Realm | Specify the authentication realm.
Note:
|
| SSO blocklist | Specify the bundle identifiers of the apps that are excluded from using SSO. Supported only on iOS 15+. |
| Hosts | Specify the domains or hostnames that the app extension can authenticate. |
| Lock screen behavior | Choose the authentication behavior to apply when the device is locked. There are two options:
|
2. Redirect
| Settings | Description |
|---|---|
| SSO blocklist | Specify the bundle identifiers of the apps that are excluded from using SSO. Supported only on iOS 15+. |
| URL | Specify the URL of your identifier provider where the app extension performs SSO. |
| Lock screen behavior | Choose the authentication behavior to apply when the device is locked. There are two options:
|
3. Kerberos
| Settings | Description | Realm | Specify the authentication realm.
Note:
|
|---|---|
| Hosts | Specify the domains or hostnames that the app extension can authenticate. |
| Allow saving password in Keychain Access | Enable this option to allow the password to be saved in Keychain Access. |
Custom Configuration
You can also upload a file containing key-value pairs required for custom configuration for the SSO extension.
The file must be in .plist format.
Associate the policy with iOS devices
If you have not saved the policy yet,
- Go to Policy Targets > +Add Devices. Alternatively, you can choose to associate the policy to either device groups, users, user groups or domains from the left pane.
- Choose the target device/devices.
- Click Ok. Click Save.
If you need to add more devices, click on +Add Devices again and repeat the above steps. This won’t affect your previous selections.
If you are on a page that lists the policies,
- Select a policy.
- From Manage drop-down, choose Associate Targets.
- Choose the target devices and click Associate.
