Intro to Single sign-on with Apple devices
Single sign-on (SSO) is a process in which a user provides authentication information once and receives a ticket to access resources for as long as the ticket is valid. This process lets users maintain secure access to resources without being asked for credentials every time they request access. It also increases the security of daily app use, by ensuring that passwords are never transmitted over the network.
Apps can take advantage of your existing in-house single sign-on (SSO) infrastructure via Kerberos, the most commonly deployed SSO technology. If you have Active Directory, eDirectory, or Open Directory, it’s likely that a Kerberos system is already in place. Apple devices need to be able to contact the Kerberos service over a network connection to authenticate users. Certificates can be used to silently renew a Kerberos ticket, letting users maintain connections to certain services that leverage Kerberos for authentication.
When integrated into an Active Directory environment, macOS prioritizes Kerberos for all authentication activities. The use of other authentication protocols—such as Microsoft’s NT LAN Manager (NTLM), Digest, and Basic—can be prohibited on the network without affecting Mac computers. When a user logs in to a Mac using an Active Directory account, the Active Directory domain controller automatically issues a Kerberos Ticket Granting Ticket (TGT). When the user attempts to use any service on the domain that supports Kerberos authentication, the TGT generates a ticket for that service without requiring the user to authenticate again. If a policy is set to require a password to dismiss the screen saver, macOS attempts to renew the TGT upon successful authentication.
To properly support Kerberos, both forward and reverse Domain Name System (DNS) records should be accurate for Kerberized servers. System clock time is also important, as clock skew must be less than five minutes for any servers and clients. The best practice is to set the date and time automatically in macOS using a Network Time Protocol (NTP) service, such as time.apple.com.
Any app that supports Kerberos authentication works with SSO. This includes many of the apps built in to macOS, such as Safari, Mail, and Calendar, as well as services like file sharing, screen sharing, and secure shell (SSH). Many third-party apps such as Microsoft Outlook and Microsoft Lync support Kerberos as well.
Configure single sign-on
Users can view and manage their Kerberos ticket information by using the Ticket Viewer app located in /System/Library/CoreServices/. You can see additional information by clicking the Ticket menu and choosing Diagnostic Information. Users can also request, view, and destroy Kerberos tickets by using the command line tools