When using an identity provider (IdP) other than JumpCloud, a SSO Extension policy uses Apple's Extensible Single Sign-On to allow users on managed iOS devices to seamlessly access their resources without requiring them to re-authenticate.
The information used to supply the policy template should be available from your IdP’s Knowledge Base, with instructions on how to properly configure the SSO Extension.
Prerequisites:
- Supported on iOS or iPadOS 13.0+
- MDM is configured for your org and the device is enrolled in MDM
- You are not using JumpCloud as your IdP. See Get Started: Federated Authentication
To create a SSO Extension policy for iOS:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Policy Management.
- In the All tab, click (+).
- On the New Policy panel, select the iOS tab.
- Select the SSO Extension policy from the list, then click configure.
- Under Settings, configure the Extension Type:
- Credential: via username and password (challenge and response authentication, like Kerberos)
- Redirect: via identity provider URL; modern authentication methods like OIDC, OAuth and SAML. Instead of loading a login page, the OS will redirect the request to the extension
- Extension Identifier: Enter the bundle identifier of the app extension that will perform single-sign on. Find this identifier by inspecting the app’s info.plist file.
- When Extension Type is set to Credential, you will see options for:
- Realm: Displayed only when Extension Type is set to Credential. Enter the capitalized realm name for the credential. This field is typically used for Kerberos extensions to identify the Kerberos realm.
- Hosts: Enter the domains names or host names of sites or applications that can be authenticated through the extension. These names must be unique across all SSO extension profiles installed on the device.
- When Extension Type is set to Redirect, you will see:
- URLs: Specify the URL prefixes of identity providers on whose behalf the app extension will authenticate. Parameters and fragments are not permitted; URLs must begin with https:// or http:// and be unique across all SSO extension profiles installed on the device.
- Additional Settings: Specify one or more key-value pairs that you want to pass to the app extension to modify the app.
- For example, department: engineering or disableLogging: true
- (Optional) Select the Device Groups tab. Select one or more device groups where you’ll apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
- (Optional) Select the Devices tab. Select one or more devices where you’ll apply this policy.
For this policy to take effect, you must specify a device or a device group.
- Click Save.
After you create and bind an iOS policy to a device, you do not need to activate the policy; the iOS policy is effective immediately.