Skip Navigation

Enable automatic authentication for
iOS
devices

You can enable
iOS
devices to authenticate automatically with hosts or domains and web services in your organization’s network. After you assign a single sign-on extension profile, the user is prompted for a username and password the first time they try to access a secure host or domain that you specified. The login information is saved on the user’s device and used automatically when the user tries to access any of the secure hosts or domains specified in the profile. When the user changes the password, the user is prompted the next time they try to access a secure host or domain.
You can specify settings for a custom extension or use the
Kerberos
extension provided by
Apple
.
Note that the single sign-on extension profile replaces the legacy single sign-on profile.
If you want to use certificate-based authentication, create the necessary certificate profile.
  1. In the management console, on the menu bar, click
    Policies and Profiles > Networks and connections > Single sign-on extension
    .
  2. Click The Add icon.
  3. Type a name and description for the profile.
  4. In the
    Single sign-on extension type
    drop-down list, click
    Custom extension
    or
    Kerberos built-in extension
    provided by
    Apple
    .
    Task
    Steps
    If you select
    Custom extenstion
    1. In the
      Extension identifier
      field, type the identifier for the app that performs the single sign-on.
    2. Select the appropriate sign-on type.
    3. If you selected
      Credential
      as the sign-on type, perform the following steps:
      1. In the
        Realm
        field, type the realm name for the credential.
      2. In the
        Domains
        section, click The Add icon to add a host or domain.
      3. In the
        Name
        field, type the host or domain for which the app extension performs single sign-on.
      4. Add additional hosts or domains as required.
    4. If you selected
      Redirect
      as the sign-on type, perform the following steps:
      1. In the
        URLs
        section, click The Add icon to add a URL.
      2. In the
        Name
        field, type the URL prefix for the identity provider for which the app extension performs single sign-on. Add additional URLs as required.
    5. In the
      Custom payload code
      field, enter the custom payload code for the app extension.
    If you select
    Kerberos built-in extenstion
    1. In the
      Domains
      section, click The Add icon to add a host or domain.
    2. In the
      Realm name
      field, type the realm name for the credential.
    3. Select the appropriate
      Apple Kerberos SSO extension data
      for your environment. By default, automatic login and
      Active Directory
      autodiscovery are allowed. You can also specify the default realm, allow only managed apps to use single sign-on, and require users to confirm access.
    4. Set the
      Principal name
      for the connection.
    5. If you want to use a certificate profile to provide the PKINIT certificate for authentication, select the profile type from the
      Select the PKINIT certificate for authentication
      drop-down list and then select the appropriate profile.
    6. If you're using the Generic Security Service API, specify the
      GSS name of the Kerberos cache
      .
    7. In the
      App bundle identifiers
      section, click The Add icon to specify the bundle IDs that are allowed to access the ticket-granting ticket.
    8. In the
      Preferred key distribution centers
      section, click The Add icon to specify preferred servers if they are not discoverable using DNS. Specify each server in the same format used in a krb5.conf file. The specified servers are used for connectivity checks and tried first for
      Kerberos
      traffic. If the servers do not respond, the device uses DNS discovery.
    9. In the
      Custom domain-realm mapping
      field, enter any required custom mapping of domains to realm names in payload format, for example
      <key>sample-realm1</key><array><string>org</string></array>
      .
    10. In the
      Login hint
      field, specify text to display at bottom of the
      Kerberos
      login window.
  5. Click
    Save
    .