Enable automatic authentication for iOS devices
iOS
devicesYou can enable
iOS
devices to authenticate automatically with hosts or domains and web services in your organization’s network. After you assign a single sign-on extension profile, the user is prompted for a username and password the first time they try to access a secure host or domain that you specified. The login information is saved on the user’s device and used automatically when the user tries to access any of the secure hosts or domains specified in the profile. When the user changes the password, the user is prompted the next time they try to access a secure host or domain.
You can specify settings for a custom extension or use the
Kerberos
extension provided by Apple
.Note that the single sign-on extension profile replaces the legacy single sign-on profile.
If you want to use certificate-based authentication, create the necessary certificate profile.
- In the management console, on the menu bar, clickPolicies and Profiles > Networks and connections > Single sign-on extension.
- Click .
- Type a name and description for the profile.
- In theSingle sign-on extension typedrop-down list, clickCustom extensionorKerberos built-in extensionprovided byApple.TaskStepsIf you selectCustom extenstion
- In theExtension identifierfield, type the identifier for the app that performs the single sign-on.
- Select the appropriate sign-on type.
- If you selectedCredentialas the sign-on type, perform the following steps:
- In theRealmfield, type the realm name for the credential.
- In theDomainssection, click to add a host or domain.
- In theNamefield, type the host or domain for which the app extension performs single sign-on.
- Add additional hosts or domains as required.
- If you selectedRedirectas the sign-on type, perform the following steps:
- In theURLssection, click to add a URL.
- In theNamefield, type the URL prefix for the identity provider for which the app extension performs single sign-on. Add additional URLs as required.
- In theCustom payload codefield, enter the custom payload code for the app extension.
If you selectKerberos built-in extenstion- In theDomainssection, click to add a host or domain.
- In theRealm namefield, type the realm name for the credential.
- Select the appropriateApple Kerberos SSO extension datafor your environment. By default, automatic login andActive Directoryautodiscovery are allowed. You can also specify the default realm, allow only managed apps to use single sign-on, and require users to confirm access.
- Set thePrincipal namefor the connection.
- If you want to use a certificate profile to provide the PKINIT certificate for authentication, select the profile type from theSelect the PKINIT certificate for authenticationdrop-down list and then select the appropriate profile.
- If you're using the Generic Security Service API, specify theGSS name of the Kerberos cache.
- In theApp bundle identifierssection, click to specify the bundle IDs that are allowed to access the ticket-granting ticket.
- In thePreferred key distribution centerssection, click to specify preferred servers if they are not discoverable using DNS. Specify each server in the same format used in a krb5.conf file. The specified servers are used for connectivity checks and tried first forKerberostraffic. If the servers do not respond, the device uses DNS discovery.
- In theCustom domain-realm mappingfield, enter any required custom mapping of domains to realm names in payload format, for example<key>sample-realm1</key><array><string>org</string></array>.
- In theLogin hintfield, specify text to display at bottom of theKerberoslogin window.
- ClickSave.