Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.21
  3. Managing secure connections
  4. Managing work connections using profiles
  5. Setting up up automatic authentication for iOS devices
  6. Enable automatic authentication for iOS devices using a single sign-on extension profile

Enable automatic authentication for
iOS
 devices using a single sign-on extension profile

If you want to use certificate-based authentication, you must first create a shared certificate profile, SCEP profile, or user credential profile.
  1. In the management console, on the menu bar, click
    Policies and profiles > Networks and connections > Single sign-on extension
    .
  2. Click The Add icon.
  3. Type a name and description for the profile.
  4. In the
    Single sign-on extension type
     drop-down list, click
    Custom extension
     or
    Kerberos built-in extension
    .
    Task
    Steps
    If you selected
    Custom extenstion
    1. In the
      Extension identifier
       field, type the identifier for the app that performs the single sign-on.
    2. Select the appropriate sign-on type.
    3. If you selected
      Credential
       as the sign-on type, perform the following steps:
      1. In the
        Realm
         field, type the realm name for the credential.
      2. In the
        Domains
         section, click The Add icon to add a host or domain.
      3. In the
        Name
         field, type the host or domain for which the app extension performs single sign-on.
      4. Add additional hosts or domains as required.
    4. If you selected
      Redirect
       as the sign-on type, perform the following steps:
      1. In the
        URLs
         section, click The Add icon to add a URL.
      2. In the
        Name
         field, type the URL prefix for the identity provider for which the app extension performs single sign-on. Add additional URLs as required.
    5. In the
      Custom payload code
       field, enter the custom payload code for the app extension.
    If you selected
    Kerberos built-in extension
    1. In the
      Domains
       section, click The Add icon to add a host or domain.
    2. In the
      Realm name
       field, type the realm name for the credential.
    3. Select the appropriate
      Apple Kerberos SSO extension data
       for your environment. By default, automatic login and
      Active Directory
       autodiscovery are allowed. You can also specify the default realm, allow only managed apps to use single sign-on, and require users to confirm access.
    4. Set the
      Principal name
       for the connection.
    5. If you want to use a certificate profile to provide the PKINIT certificate for authentication, select the profile type from the
      Select the PKINIT certificate for authentication
       drop-down list and then select the appropriate profile.
    6. If you're using the Generic Security Service API, specify the
      GSS name of the Kerberos cache
      .
    7. In the
      App bundle identifiers
       section, click The Add icon to specify the bundle IDs that are allowed to access the ticket-granting ticket.
    8. In the
      Preferred key distribution centers
       section, click The Add icon to specify preferred servers if they are not discoverable using DNS. Specify each server in the same format used in a krb5.conf file. The specified servers are used for connectivity checks and tried first for
      Kerberos
       traffic. If the servers do not respond, the device uses DNS discovery.
    9. In the
      Custom domain-realm mapping
       field, enter any required custom mapping of domains to realm names in payload format, for example
      <key>sample-realm1</key><array><string>org</string></array>
      .
    10. In the
      Login hint
       field, specify text to display at bottom of the
      Kerberos
       login window.
  5. Click
    Save
    .
  • If necessary, rank the profile.
  • Assign the profile to user accounts and groups.