Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

Secure Federated Identity Mapping: Phishing-Resistant SSO

Jump To

1. Overview

This document outlines how to implement Extensible Single Sign-On (SSO) via Hexnode UEM to streamline the login experience on managed Apple endpoints. By configuring Extensible SSO (specifically the Redirect extension type) alongside Associated Domains, organizations can bypass redundant external Identity Provider (IdP) authentication prompts for verified users. This creates a “Silent SSO” or “Zero-Touch” login experience that reduces friction and drastically improves your security posture against phishing.

2. The Logic: Why Bypass the IdP?

In a traditional federation model, the Service Provider (SP) cannot verify the device’s integrity; it only evaluates the user’s credentials. In a Managed Identity model powered by Hexnode Extensible SSO:

  • Trust is Pre-established: The device is already enrolled in Hexnode, equipped with a valid management profile and identity certificates.
  • Native Interception: The OS-level SSO Extension intercepts authentication requests made to specific IdP URLs (e.g., https://www.google.com/search?q=login.microsoftonline.com).
  • Silent Handshake: Instead of forcing the user to a web-based login screen, the device’s SSO extension provides a federation token directly in the background, skipping the manual username/password entry.

3. Prerequisites

  • Device Enrollment: Devices should ideally be enrolled via Automated Device Enrollment (ADE) to establish hardware-backed trust.
  • Operating System: iOS 13+ or macOS 10.15+ (macOS 13/14+ is recommended for advanced Platform SSO capabilities).
  • Identity Provider App: The device must have the IdP’s broker app installed (e.g., Microsoft Company Portal app for Entra ID, or the Okta Extension app).

4. Configuration Steps (Hexnode UEM)

Step A: Configure the Extensible SSO Policy

  1. Log in to your Hexnode UEM portal and navigate to Policies.
  2. Go to macOS/iOS > Security > Extensible SSO and click Configure.
  3. SSO extension type: Select Redirect (used for modern authentication protocols like OAuth, SAML, or OpenID Connect).
  4. Extension identifier: Enter your IdP’s specific bundle ID (e.g., com.microsoft.CompanyPortalMac.ssoextension for Entra ID).
  5. Team identifier: Enter the Apple Developer Team ID for your IdP (e.g., UBF8T346G9 for Microsoft).

Step B: Define the Authentication URLs

Within the same Redirect configuration:

  1. Locate the URL field.
  2. Specify the URLs of your identity provider where the app extension performs SSO (e.g., https://login.microsoftonline.com or https://yourdomain.okta.com).

Result: When a user or app attempts to access these defined URLs, the OS will trigger the SSO extension to handle the authentication silently.

Step C: Establish Associated Domains (Crucial for macOS)

To ensure apps can securely interact with your verified web domains without prompts:

  1. Navigate to macOS > Configurations > Associated Domains.
  2. Add the App Identifier (e.g., UBF8T346G9.com.microsoft.teams2).
  3. Enter the Domains using the service:domain format (e.g., applinks:*.example.com).

Step D: Target & Deploy

Associate the configured policies with your required Devices, Device Groups, or User Groups and click Save.

5. Security Impact & “Break-Glass” Scenarios

Feature Standard Federation Extensible SSO (Hexnode)
Login Friction Multiple web redirects and repetitive MFA prompts. Near Zero-Touch; OS-level broker handles tokens automatically.
Phishing Risk High (Adversaries can spoof the IdP redirect page). None (Authentication is handled natively by the extension; no URL to spoof).
Lock Screen Behavior N/A Admins can configure the policy to cancel authentication requests when the device is locked.

Warning: Always ensure that “Break-Glass” (Emergency Admin) accounts are excluded from conditional access policies that mandate device compliance, ensuring they can still authenticate manually via the web if the MDM sync is interrupted.

6. Troubleshooting

  • Redirection Loop/Manual Prompts: If the user is still being prompted, verify that the Associated Domains payload is properly configured. Without it, macOS apps may not securely hand off the authentication request to the SSO extension.
  • App Exclusions: If a specific legacy app breaks during this flow, use the SSO blocklist field in the Hexnode Extensible SSO policy to exclude that app’s bundle identifier from utilizing the extension (iOS 15+ and macOS 12+).
  • Broker App Missing: Ensure the required IdP application (like Microsoft Company Portal) is deployed to the device via Hexnode. The SSO Extension cannot function without its host app.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework