Single Sign On Extension Payload
Overview
The Single Sign On Extension is supported on iOS, iPadOS, and macOS across all applications that support Apple's enterprise single sign-on feature.
The SM Single Sign On Extension payload actually reflects 2 payload types from Apple’s MDM docs:
- https://developer.apple.com/document...?language=objc
- https://developer.apple.com/document...?language=objc
These payloads allow the MDM Administrator to expose specific external single sign-on to both native apps as well as webapps via Safari. As the Kerberos version of this extension conforms to expected Kerberos norms, we won’t be discussing it here. If you require assistance with the Extensible Single Sign On with Kerberos payload, please reach out to your directory services vendor.
Third party SSO extension documentation:
Required Keys
For the custom Single Sign On extension, the following keys are required:
Extension Identifier - The bundle identifier of the extension binary. This should be provided by your Single Sign On vendor.
Sign-on Type - The type of Single Sign-on being provided. "Credential" types are based on locally handled username and password, "Redirect" types perform oauth via identity provider URL.
Realm - The realm name for "Credential" payload types. This value is case-sensitive and is ignored for "Redirect" sign-on types.
Team Identifier - Team identifier for the app extension.
Domains - "Hosts key" in Apple’s documentation. Should be host names or domain names of sites or apps which can access this identity endpoint. "Credential" payloads only, ignored for "Redirect" types.
URLs - URL prefixes of identity providers where the extension will be redirecting for SSO. Required for "Redirect" types, ignored for "Credential" types.
Custom Extension Data - Custom extension data required for the SSO extension to function. This information will be provided by your SSO/Extension vendor.