Create a single sign-on extension profile Skip Navigation

Create a single sign-on extension profile

Single sign-on extensions are supported for devices running
iOS
and
iPadOS
13 and later. You can specify settings for a custom extension or use the
Kerberos
extension provided by
Apple
.
If you want to use certificate-based authentication, create the necessary certificate profile.
  1. On the menu bar, click
    Policies and Profiles
    .
  2. Click
    Networks and connections
    >
    Single sign-on extension
    .
  3. Click The Add icon.
  4. Type a name and description for the profile.
  5. In the
    Single sign-on extension type
    drop-down, specify whether you are using a custom extension or the
    Kerberos
    extension provided by
    Apple
    .
    Task
    Steps
    If you select
    Custom extenstion
    1. In the
      Extension identifier
      field, type the identifier for the app that performs the single sign-on.
    2. Specify whether the sign-on type is
      Credential
      or
      Redirect
    3. If you selected
      Credential
      as the sign-on type, perform the following steps:
      1. In the
        Realm
        field, type the realm name for the credential.
      2. In the
        Domains
        section, click The Add icon to add a domain.
      3. In the
        Name
        field, type the domain for which the app extension performs single sign-on.
      4. Add additional domains as required.
    4. If you selected
      Redirect
      as the sign-on type, perform the following steps:
      1. In the
        URLs
        section, click The Add icon to add a URL.
      2. In the
        Name
        field, type the URL prefix for the identity provider for which the app extension performs single sign-on. Add additional URLs as required.
    5. In the
      Custom payload code
      field, enter the custom payload code for the app extension.
    If you select
    Kerberos built-in extenstion
    1. In the
      Domains
      section, click The Add icon to add a domain.
    2. In the
      Realm name
      field, type the realm name for the credential.
    3. Select the appropriate
      Apple Kerberos SSO extension data
      for your environment. By default, automatic login and
      Active Directory
      autodiscovery are allowed. You can also specify the default realm, allow only managed apps to use single sign-on, and require users to confirm access.
    4. Set the
      Principal name
      for the connection.
    5. If you want to use a certificate profile to provide the PKINIT certificate for authentication, select the profile type from the
      Select the PKINIT certificate for authentication
      drop-down list and then select the appropriate profile.
    6. If you're using the Generic Security Service API, specify the
      GSS name of the Kerberos cache
      .
    7. In the
      App bundle identifiers
      section, click The Add icon to specify the bundle IDs that are allowed to access the ticket-granting ticket.
    8. In the
      Preferred key distribution centers
      section, click The Add icon to specify preferred servers if they are not discoverable using DNS. Specify each server in the same format used in a krb5.conf file. The specified servers are used for connectivity checks and tried first for
      Kerberos
      traffic. If the servers do not respond, the device uses DNS discovery.
    9. In the
      Custom domain-realm mapping
      field, enter any required custom mapping of domains to realm names in payload format, for example
      <key>sample-realm1</key><array><string>org</string></array>
      .
    10. In the
      Login hint
      field, specify text to display at bottom of the
      Kerberos
      login window.
  6. Click
    Save
    .