Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Managing iOS Devices
  3. Security

Category filter

Configure Extensible SSO on iOS devices

Jump To

Extensible Single Sign-On (SSO) facilitates a seamless authentication process, allowing users to access enterprise applications and websites without repeated login prompts. This feature integrates SSO extensions from third-party Identity Providers (IdPs) like Okta or Microsoft Entra ID, as well as Apple’s built-in Kerberos extension.

1. Prerequisites

  • Device Version: iOS 13 or later.
  • Identity Provider App: The third-party IdP app providing the extension must be installed and managed on the device.

2. Configuration Workflow

  1. Log in to the Hexnode UEM portal.
  2. Navigate to Policies > New Policy > Create a fully custom policy > iOS > Security > Extensible SSO and click Configure.
  3. Select the SSO Extension Type. The Hexnode portal offers three primary extension types:
    4. Type Technical Use Case
    Credential Utilized for challenge/response authentication scenarios.
    Redirect Utilized for modern protocols such as OAuth, SAML 2.0, or OpenID Connect.
    Kerberos Apple’s built-in extension for environments supporting Kerberos authentication.
  4. Specify the Extension Identifier: This is the bundle identifier for the app extension (e.g., com.okta.mobile.auth-service-extension).

3. Technical Configuration Parameters

Credential & Redirect Parameters

  • Realm: The authentication realm. Value must be in UPPER-CASE.
  • SSO blocklist (iOS 15+): Bundle identifiers of apps excluded from using SSO.
  • Hosts: Specific domains or hostnames the extension can authenticate.
  • Lock screen behavior:
    • Cancel authentication requests: Requests terminate if the device is locked.
    • Do not handle authentication requests: Requests proceed without SSO when locked.

Redirect Extension Parameters

  • URL: The URL of the Identity Provider where the extension performs SSO.
  • SSO blocklist (iOS 15+): Bundle identifiers of apps excluded from using SSO.
  • Lock screen behavior:
    • Cancel authentication requests: Requests terminate if the device is locked.
    • Do not handle authentication requests: Requests proceed without SSO when locked.

    Kerberos Extension Parameters

    • Realm: The Active Directory domain for user accounts. Value must be in UPPER-CASE.
    • Hosts: Domains or hostnames authenticated by the extension.
    • Allow saving password in Keychain Access: Enables password storage in the device’s secure Keychain.

    4. Custom Configuration

    Administrators can upload a file containing specific key-value pairs required by the SSO extension provider. The file must be in .plist format. This is necessary for advanced settings not covered by standard MDM fields.

    5. Policy Deployment

    1. Navigate to Policy Targets in the Hexnode portal.
    2. Select the desired Devices, Users, or Groups.
    3. Click Save.

    6. Troubleshooting & FAQs

    FAQs

    1. Does this work with unmanaged apps?

      SSO extensions generally function for managed apps and websites visited in Safari, provided they match the configured hosts or URLs.

    2. Can multiple SSO policies be active?

      While multiple policies can be pushed, only one extension can handle a specific authentication challenge based on the domain or URL match.

    3. Is a third-party app required for Kerberos?

      No. The Kerberos extension is natively included in iOS and does not require a separate IdP app.

    Troubleshooting

    • SSO Not Triggering: Confirm the Extension Identifier exactly matches the bundle ID of the installed extension app.
    • Authentication Failures: Verify the Realm is entered in ALL CAPS.
    • Lock Screen Issues: Adjust the Lock screen behavior to “Do not handle” if users must authenticate while the device is locked.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Managing iOS Devices