Jamf Nation Community

I’ve set it up. Works good. Some features are missing when compared to Enterprise Connect, but otherwise it works good and suits our needs.

Just to be clear, the Single Sign-On extension doesn't allow for logging in with email addresses, does it? That's a whole other thing we can't talk about yet, or at least I thought. SSO extension is basically just EC built in.

@ooshnoo So you are able to login to your Macs using email address and password? You dont happen to have a walk through of the setup or a link to the setup that you did, do you?

It is using AD, not Azure AD. So email address is not used to login.

@bmichael Setup info is not public yet. You need to use AppleSeed to get access to the config profile to test it.

@patgmac If possible and willing, can you share your SSO config that you're using to test??

Thanks in advance ::sp

@smpotter @bmichael You can piece together what you need to create the profile from the ExtensibleSingleSignOnKerberos developer documentation. Alternatively update to Jamf Pro 10.15 as they have added the Single Sign-On Extensions payload.

I have it working but was curious about it displaying how many days left till password expires. Per the doc it states to configure "pwExpirationDays" which I did but on the device its still showing "Password doesn't expire"...

@smpotter I'm not using that key, and it shows a countdown of days until expiration by default. Plus I don't even see that key listed in the doc. Are you sure you're not referring to: passwordNotificationDays

https://developer.apple.com/documentation/devicemanagement/extensiblesinglesignonkerberos/extensiondata

Is it similar to Enterprise Connect PKI? I mean: does it support login/SSO via SmartCards?

Anyone know is SAP can work with this new single sign on mode - we are running nomad and no AD

@ooshnoo to clarify you have local users able to SSO into web applications for example? What IDP are you using? Have you got any instructions?

@jlattke it basically replaces Enterprise Connect. It can do SSO with smartcards. Super simple set up as long as you're using AD not AzureAD.

I have it mostly working, but get this error when I try to change the password.

@nvandam can you roughly describe how you set it up and what IDP you're using?

@petestanley , Here's the example .mobileconfig Apple has. Just change "example.com" to your domain. The upload that to Jamf and push to a 10.15 Mac. We are using AD.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>ExtensionData</key>
            <dict>
                <key>allowAutomaticLogin</key>
                <true/>
                <key>isDefaultRealm</key>
                <false/>
                <key>pwNotificationDays</key>
                <integer>15</integer>
                <key>requireUserPresence</key>
                <false/>
                <key>syncLocalPassword</key>
                <true/>
                <key>useSiteAutoDiscovery</key>
                <true/>
            </dict>
            <key>ExtensionIdentifier</key>
            <string>com.apple.AppSSOKerberos.KerberosExtension</string>
            <key>Hosts</key>
            <array>
                <string>.example.com</string>
            </array>
            <key>PayloadDisplayName</key>
            <string>Single Sign-on Extensions</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>com.apple.mdm.test.local.af517dc0-7353-0137-3524-3a008d11ab01.alacarte.single-sign-on-extension.79757090-7354-0137-3525-3a008d11ab01</string>
            <key>PayloadType</key>
            <string>com.apple.extensiblesso</string>
            <key>PayloadUUID</key>
            <string>79757090-7354-0137-3525-3a008d11ab01</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Realm</key>
            <string>EXAMPLE.COM</string>
            <key>TeamIdentifier</key>
            <string>apple</string>
            <key>Type</key>
            <string>Credential</string>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Kerberos SSO</string>
    <key>PayloadIdentifier</key>
    <string>com.apple.mdm.RJLmpb.local.af517dc0-7353-0137-3524-3a008d11ab01.alacarte</string>
    <key>PayloadOrganization</key>
    <string>Apple</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>af517dc0-7353-0137-3524-3a008d11ab01</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

Thanks @nvandam!

@nvandam Thanks a lot for this, extremely useful.

I'm trying to establish whether we'd be able to use the Single Sign On Extensions in our lab environment and remove the bind to AD altogether. I'm assuming a user account would need to be created on the system first, and then the system would prompt to sync up the login and AD passwords once logged in?

Also, in my testing folks aren't prompted to enter their AD credentials until they open up Safari which has a company home page based on SSO. How can I get the user to be prompted without opening up a web browser?

@jazminepena While it's certainly not impossible I think something like NoMAD LoginAD or Jamf Connect would be more beneficial in a lab environment if you're wanting/working toward a no-bind setup. With the SSO extension you would need a local account logged into the machine from the get go.

The SSO extension should be prompting you as soon as the config profile is installed on the machine. At least that has been my experience with it thus far. Are you using the mobileconfig shown above or the provided payload in jamf Pro?

@mainelysteve Thanks. After some further testing, it does indeed seem to prompt after logging in.

I'm using the mobileconfig from earlier in the thread.

Has anyone figured out a way to pass your account credentials to the SSO extension when you're logged in with an AD mobile account? Screen shot attached of my current SSO profile.

And does anyone know how I can set the option 'Sign-In Automatically' by default in the config profile?

@nvandam Did you figure out what was up with the "Configuration file does not specify default realm" error? I am also seeing that.

@UbiquitousChris , I have not. :(

@nvandam We have the exact same issue in our environment. It wasn't happening in during the beta cycles, we were always able to change our passwords when we tried... but it started popping up around the GA release of 19A602.

Have you opened a FB or support ticket with Apple, have they given you any details?

@nvandam @UbiquitousChris Have you tried changing it to True

 <key>isDefaultRealm</key>
 <true/>

@jmariani , I hadn't played with it during the betas, so I can't confirm it ever worked for us. I do not have a ticket open for that right now, no. But I can.

@ammonsc , I have tried changing that and rebooted and still nothing. I wasn't sure if I had it setup incorrectly because it says that capitalization matters, which I think I have it right, but honestly it may be wrong.

@ammonsc Yup. Heres a screenshot of our config.

Just checking if others have this working properly? I am using the posted sample PLIST and changing the domain and realm. I can log in to an AD account fine, but (1) the extension is showing my password never expires, which is not true and (2) it is not sync my password with my local account. If I log out, I have to use my original local password and not my AD password to log back in.

Which JAMF-PRO version are you using to view the Signal sign-on Extensions?

@Vanegas , I believe it was introduced in 10.15.0. The payload settings are at like the bottom of the list in config profile creation view.

I'm guessing one of the options missing with this is the password-sync feature, checking if AD and local account passwords are different.

After looking at the configuration profile this seems very familiar to Apple Enterprise Connect. Am I correct to assume that there is not yet a way to use this with an off premise provider like okta?

@sdamiano I think that is where Jamf Connect comes in.

@nvandam I figured something out. If you add the following lines to /etc/krb5.conf, the extension will function again.

[libdefaults]
default_realm = YOUR.REALM.HERE

I have the same issue.. I;m working with my local apple tech team, but haven't figured out anything...

@UbiquitousChris I looked for that /etc/krb5.conf I actually dont have that file... I have a krb5.keytab and that's it in that location

@jimderlatka I didn't have it either. I had to create it manually.

@UbiquitousChris wow that worked 100% working now.. thanks