Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.17
  3. Administration
  4. Securing network connections
  5. Setting up single sign-on authentication for devices
  6. Create a single sign-on extension profile

Create a single sign-on extension profile

Single sign-on extensions are supported for devices running
iOS
 and
iPadOS
 13 and later. You can specify settings for a custom extension or use the
Kerberos
 extension provided by
Apple
.
If you want to use certificate-based authentication, create the necessary certificate profile.
  1. On the menu bar, click
    Policies and Profiles
    .
  2. Click
    Networks and connections
     >
    Single sign-on extension
    .
  3. Click The Add icon.
  4. Type a name and description for the profile.
  5. In the
    Single sign-on extension type
     drop-down, specify whether you are using a custom extension or the
    Kerberos
     extension provided by
    Apple
    .
    Task
    Steps
    If you select
    Custom extenstion
    1. In the
      Extension identifier
       field, type the identifier for the app that performs the single sign-on.
    2. Specify whether the sign-on type is
      Credential
       or
      Redirect
    3. If you selected
      Credential
       as the sign-on type, perform the following steps:
      1. In the
        Realm
         field, type the realm name for the credential.
      2. In the
        Domains
         section, click The Add icon to add a domain.
      3. In the
        Name
         field, type the domain for which the app extension performs single sign-on.
      4. Add additional domains as required.
    4. If you selected
      Redirect
       as the sign-on type, perform the following steps:
      1. In the
        URLs
         section, click The Add icon to add a URL.
      2. In the
        Name
         field, type the URL prefix for the identity provider for which the app extension performs single sign-on. Add additional URLs as required.
    5. In the
      Custom payload code
       field, enter the custom payload code for the app extension.
    If you select
    Kerberos built-in extenstion
    1. In the
      Domains
       section, click The Add icon to add a domain.
    2. In the
      Realm name
       field, type the realm name for the credential.
    3. Select the appropriate
      Apple Kerberos SSO extension data
       for your environment. By default, automatic login and
      Active Directory
       autodiscovery are allowed. You can also specify the default realm, allow only managed apps to use single sign-on, and require users to confirm access.
    4. Set the
      Principal name
       for the connection.
    5. If you want to use a certificate profile to provide the PKINIT certificate for authentication, select the profile type from the
      Select the PKINIT certificate for authentication
       drop-down list and then select the appropriate profile.
    6. If you're using the Generic Security Service API, specify the
      GSS name of the Kerberos cache
      .
    7. In the
      App bundle identifiers
       section, click The Add icon to specify the bundle IDs that are allowed to access the ticket-granting ticket.
    8. In the
      Preferred key distribution centers
       section, click The Add icon to specify preferred servers if they are not discoverable using DNS. Specify each server in the same format used in a krb5.conf file. The specified servers are used for connectivity checks and tried first for
      Kerberos
       traffic. If the servers do not respond, the device uses DNS discovery.
    9. In the
      Custom domain-realm mapping
       field, enter any required custom mapping of domains to realm names in payload format, for example
      <key>sample-realm1</key><array><string>org</string></array>
      .
    10. In the
      Login hint
       field, specify text to display at bottom of the
      Kerberos
       login window.
  6. Click
    Save
    .