Has anyone setup Single Sign on with Catalina OS? I heard about it in during their last event. I am up to date with the Catalina Beta but cannot find anything to set it up. https://developer.apple.com/videos/play/wwdc2019/303/ towards the end of this video is where it is mentioned. We want to have the Mac users login to their computers the same way our PC (All PCs are joined to Azure) users do by using their email address and password. Any recommendations?
Just to be clear, the Single Sign-On extension doesn't allow for logging in with email addresses, does it? That's a whole other thing we can't talk about yet, or at least I thought. SSO extension is basically just EC built in.
I have it working but was curious about it displaying how many days left till password expires. Per the doc it states to configure "pwExpirationDays" which I did but on the device its still showing "Password doesn't expire"...
@smpotter I'm not using that key, and it shows a countdown of days until expiration by default. Plus I don't even see that key listed in the doc. Are you sure you're not referring to: passwordNotificationDays
@petestanley , Here's the example .mobileconfig Apple has. Just change "example.com" to your domain. The upload that to Jamf and push to a 10.15 Mac. We are using AD.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>ExtensionData</key> <dict> <key>allowAutomaticLogin</key> <true/> <key>isDefaultRealm</key> <false/> <key>pwNotificationDays</key> <integer>15</integer> <key>requireUserPresence</key> <false/> <key>syncLocalPassword</key> <true/> <key>useSiteAutoDiscovery</key> <true/> </dict> <key>ExtensionIdentifier</key> <string>com.apple.AppSSOKerberos.KerberosExtension</string> <key>Hosts</key> <array> <string>.example.com</string> </array> <key>PayloadDisplayName</key> <string>Single Sign-on Extensions</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>com.apple.mdm.test.local.af517dc0-7353-0137-3524-3a008d11ab01.alacarte.single-sign-on-extension.79757090-7354-0137-3525-3a008d11ab01</string> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>PayloadUUID</key> <string>79757090-7354-0137-3525-3a008d11ab01</string> <key>PayloadVersion</key> <integer>1</integer> <key>Realm</key> <string>EXAMPLE.COM</string> <key>TeamIdentifier</key> <string>apple</string> <key>Type</key> <string>Credential</string> </dict> </array> <key>PayloadDisplayName</key> <string>Kerberos SSO</string> <key>PayloadIdentifier</key> <string>com.apple.mdm.RJLmpb.local.af517dc0-7353-0137-3524-3a008d11ab01.alacarte</string> <key>PayloadOrganization</key> <string>Apple</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>af517dc0-7353-0137-3524-3a008d11ab01</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
@nvandam Thanks a lot for this, extremely useful.
I'm trying to establish whether we'd be able to use the Single Sign On Extensions in our lab environment and remove the bind to AD altogether. I'm assuming a user account would need to be created on the system first, and then the system would prompt to sync up the login and AD passwords once logged in?
Also, in my testing folks aren't prompted to enter their AD credentials until they open up Safari which has a company home page based on SSO. How can I get the user to be prompted without opening up a web browser?
@jazminepena While it's certainly not impossible I think something like NoMAD LoginAD or Jamf Connect would be more beneficial in a lab environment if you're wanting/working toward a no-bind setup. With the SSO extension you would need a local account logged into the machine from the get go.
The SSO extension should be prompting you as soon as the config profile is installed on the machine. At least that has been my experience with it thus far. Are you using the mobileconfig shown above or the provided payload in jamf Pro?
@nvandam We have the exact same issue in our environment. It wasn't happening in during the beta cycles, we were always able to change our passwords when we tried... but it started popping up around the GA release of 19A602.
Have you opened a FB or support ticket with Apple, have they given you any details?
@jmariani , I hadn't played with it during the betas, so I can't confirm it ever worked for us. I do not have a ticket open for that right now, no. But I can.
@ammonsc , I have tried changing that and rebooted and still nothing. I wasn't sure if I had it setup incorrectly because it says that capitalization matters, which I think I have it right, but honestly it may be wrong.
Just checking if others have this working properly? I am using the posted sample PLIST and changing the domain and realm. I can log in to an AD account fine, but (1) the extension is showing my password never expires, which is not true and (2) it is not sync my password with my local account. If I log out, I have to use my original local password and not my AD password to log back in.