Streamline User Authentication with Extensible Single Sign-On
Extensible Single Sign-On
The Extensible Single Sign-On (SSO) feature on Apple devices allows organizations to provide seamless authentication across applications and websites by integrating with their identity provider (IdP). This feature is especially beneficial in enterprise and education settings, where users need to access multiple apps and services securely and efficiently without re-entering their credentials each time. With Extensible SSO, a single login can grant access to multiple apps and services, reducing the need for repeated logins and making the user experience more convenient. Once logged in, the authentication session can persist across different apps and browsers on the device, making access smoother. You can utilize Silverback to configure and manage SSO extensions on Apple devices.
Overview of SSO Variants
Apple generally provides two main variants of Extensible Single Sign-On (SSO) for MDM providers to enable seamless authentication on Apple devices. The Kerberos Single Sign-On extension and the Redirect Single Sign-On extension, which also includes a subset called Platform SSO. Both Kerberos and Platform SSO are not yet supported in Silverback. Please refer to the Apple's Tech Talk session about Introducing Extensible Enterprise SSO.
Requirements
- Silverback 24.0 Update 2
- iOS, iPadOS 13.0 and newer
- macOS 10.15 (Catalina)
Contact your Identity Provider
Before you start, you should consult your identity provider and obtain the relevant Extensible Single Sign-On documentation. This will enable you to deploy and, if necessary, configure the required application. You will also need to create an Extensible Single Sign-On profile using the parameters available to you. In the following example, we will perform the configuration using the Microsoft Enterprise SSO Plug-in for Apple devices.
Add and Deploy the Application
To integrate and distribute a necessary application, please use the following articles
- Application Guide Part III: Add iOS/iPadOS Application
- Application Guide Part V: Add macOS Application
If your identity provider's application requires a dedicated additional configuration, you can refer to the App Configuration Guide to have a look at how to configure an application.
Create and Deploy a Configuration
The next step is to create a new tag or edit an existing one and then add an Enterprise Single Sign-On profile to be installed on your managed devices.
Create a Tag
- Navigate to Tags and press New Tag
- Enter a name, e.g. Extensible Signle Sign-On
- Enable the Profile Feature
- Enable at least one target Device Type, e.g. iPhone, iPad or macOS
- Press Save
Create a new Extensible Single Sign-On Profile
- Navigate to Profile
- Select Extensible Single Sign-On
- Press New Extensible SSO
- Enter a Profile name, e.g. Microsoft Enterprise SSO
- Add your configuration Extensible Single Sign-On
Required Configuration for Microsoft Enterprise SSO
According to the Microsoft Enterprise SSO plug-in for Apple devices documentation part for other MDM services, the following settings are required for the Microsoft Enterprise SSO.
Setting | iOS, iPadOS | macOS | Description |
---|---|---|---|
Extension identifier | com.microsoft.azureauthenticator.ssoextension | e.g., com.microsoft.CompanyPortalMac.ssoextension | The bundle identifier of the app extension that performs SSO for the specified URLs. |
Team identifier | Not required | e.g., UBF8T346G9 | The unique team ID for the app. |
Sign-on type |
|
|
The type of SSO. Available options are Credential and Redirect. |
URLs | Required for Redirect payloads. Ignored for Credential payloads. The URLs must begin with https:// or http://, the scheme and hostname are matched case insensitively, query parameters and URL fragments aren’t allowed, and the URLs of all installed Extensible SSO payloads must be unique. |
- Press Save
- Confirm with OK
Additional available configuration
If the Extensible Single Sign-On configuration of your identity provider provides additional options, the following additional settings can be made.
Setting | Options / Example | Description |
---|---|---|
Realm | IMAGOVERUM.COM | The realm name when Credential type is used. Use proper capitalization for this value. |
Hosts | .imagoverum.com or sts.imagoverum.com |
An array of host or domain names that apps can authenticate through the app extension. The hosts can either be individual host names or suffixes, such as .example.com. Host names that begin with a “.” are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match. The system:
|
Screen locked beh | avior
|
If set to Cancel, the system cancels authentication requests when the screen is locked. If set to Do |
Denied bundle identifiers | e.g., com.microsoft.Edge | An array of bundle identifiers of apps that don’t use Single Sign-On provided by the extension. Available in iOS 15 and later, and macOS 12 and later. |
Extension data |
Example: <key>AllowList</key> <string>com.imagoverum.com</string> <key>Enabled</key> <integer>1</integer> |
A dictionary of arbitrary data passed through to the app extension. Silverback expects exactly only keys and values like in the example. Please do not add any additional <dict> or something similar like <plist>. |
Assign the Tag
As usual, you have multiple options to assign the Tag. You can either navigate back to Definition tab inside the Tag and press the Associated Devices button to Attach More Devices or you can navigate to the Devices tab and press the Tag button in the Actions column. After you verified the Policy with one or more test devices, you can also enable the Auto Population for the Tag. For additional information, please refer to Tags Guide Part I: Create and Deploy. For demonstration purposes, we will go to the Devices tab and manually assign the Tag to the test device
Review Profile Installation
Refresh the Device
Once the tag has been assigned, you can press Refresh from the device overview. When the device is online and will contact the Server, you should see an Install Profile request type containing a Extensible Single Sign-On Profile.
Review Profile Installation
- On your iPhone or iPad, open Settings
- Navigate to General
- Select VPN & Device Management
- Select Silverback MDM Profile
- In the contains overview, you should see now a Single Sign-On Extension
- Select More Details
- Locate the Single Sign-On Extension section
- You should see there a new entry with your configuration.
User Experience
Please note that there is no dedicated user experience report at this point, but in general you should see the following behaviour on an iPhone or iPad, and similar on a macOS device. If the Extensible Single Sign-On profile is on the device, and you open Safari and go to portal.office.com, a different window will appear in Safari where the user needs to log in. After a while, this account should be visible in Microsoft Authenticator. Again, after some time, you should be able to open Microsoft Excel as an example and the user should be automatically logged in after entering thei username in the login section. You may need to close and reopen the application. You can also try to open a private tab and reopen portal.office.com and you will see that you are logged in as the user you used the first time you logged in.
However, we would like to point out that it is advisable to test the functionality on a new device that has not yet performed any logins and we recommend that you run through the scenarios with logins for websites and apps once with this new device and then reset the device and run through the scenarios again with the device when the Extensible Single Sign-On profile is on the device. Since login information is cached and you may not have the possibility to delete the cached information, you may have a different user experience than you expect. In the best case, contact your identity provider for additional information.
The screenshot below shows the mentioned Single Sign-On login screen on Safari running on a macOS device after opening portal.office.com.