The SM Single Sign On Extension payload actually reflects 2 payload types from Apple’s MDM docs:
This should not be confused with the old SingleSignOn payload (which Systems Manager does not directly support).
These payloads allow the MDM Administrator to expose specific external single sign-on to both native apps as well as webapps via Safari. As the Kerberos version of this extension conforms to expected Kerberos norms, we won’t be discussing it here. If you require assistance with the Extensible Single Sign On with Kerberos payload, please reach out to your directory services vendor.
For the custom Single Sign On extension, the following keys are required:
Extension Identifier - The bundle identifier of the extension binary. This should be provided by your Single Sign On vendor.
Sign-on Type - The type of Single Sign-on being provided. "Credential" types are based on locally handled username and password, "Redirect" types perform oauth via identity provider URL.
Realm - The realm name for "Credential" payload types. This value is case-sensitive and is ignored for "Redirect" sign-on types.
Team Identifier - Team identifier for the app extension.
Domains - "Hosts key" in Apple’s documentation. Should be host names or domain names of sites or apps which can access this identity endpoint. "Credential" payloads only, ignored for "Redirect" types.
URLs - URL prefixes of identity providers where the extension will be redirecting for SSO. Required for "Redirect" types, ignored for "Credential" types.
Custom Extension Data - Custom extension data required for the SSO extension to function. This information will be provided by your SSO/Extension vendor.