Single Sign-On Extensions payload settings for Apple devices
Use the Single Sign-On Extensions payload to define extensions for multi-factor user authentication on iPhone, iPad and Mac devices enrolled in a mobile device management (MDM) solution. This payload must be user approved.
This extension is for use by identity providers, to deliver a seamless experience as users sign in to apps and websites. When properly configured using MDM, the user authenticates once then gains access to subsequent native apps and websites automatically. The following other features can be used with the Single Sign-On Extensions payload when implemented by the developer:
iCloud Keychain
Multi-factor authentication
Per-app VPN
User notification
In addition to the Single Sign-On Extensions for third-party developers, iOS 13, iPadOS 13.1 and macOS 10.15 feature a built-in Kerberos extension that can be used to log users in to native apps as well as websites that support Kerberos authentication.
Note: macOS domains should be managed with the Associated Domains payload.
OS and channel | Supported enrolment types | Interaction | Duplicates |
|---|---|---|---|
iOS iPadOS macOS device | User Device Automated Device | Exclusive | Single |
Setting | Description | Required |
|---|---|---|
Extension identifier | The unique bundle ID for the app. | Yes |
Team identifier | The unique team ID for the app. | Yes |
Sign-on type |
| Yes |
Realm | The full Kerberos realm where the user’s account is located. | Yes |
Domains | Approved domains that can be authenticated with the app extension. | No |
Custom configuration | Custom keys that can be used with the app extension. | No |