Catalina Single Sign On

Brent,

The Apple directions/test plan are in the Apple seed for IT program.

C

I’ve set it up. Works good. Some features are missing when compared to Enterprise Connect, but otherwise it works good and suits our needs.

Just to be clear, the Single Sign-On extension doesn't allow for logging in with email addresses, does it? That's a whole other thing we can't talk about yet, or at least I thought. SSO extension is basically just EC built in.

@ooshnoo So you are able to login to your Macs using email address and password? You dont happen to have a walk through of the setup or a link to the setup that you did, do you?

It is using AD, not Azure AD. So email address is not used to login.

@bmichael Setup info is not public yet. You need to use AppleSeed to get access to the config profile to test it.

@patgmac If possible and willing, can you share your SSO config that you're using to test??

Thanks in advance ::sp

@smpotter @bmichael You can piece together what you need to create the profile from the ExtensibleSingleSignOnKerberos developer documentation. Alternatively update to Jamf Pro 10.15 as they have added the Single Sign-On Extensions payload.

I have it working but was curious about it displaying how many days left till password expires. Per the doc it states to configure "pwExpirationDays" which I did but on the device its still showing "Password doesn't expire"...

@smpotter I'm not using that key, and it shows a countdown of days until expiration by default. Plus I don't even see that key listed in the doc. Are you sure you're not referring to: passwordNotificationDays

https://developer.apple.com/documentation/devicemanagement/extensiblesinglesignonkerberos/extensiondata

Is it similar to Enterprise Connect PKI? I mean: does it support login/SSO via SmartCards?

Anyone know is SAP can work with this new single sign on mode - we are running nomad and no AD

@ooshnoo to clarify you have local users able to SSO into web applications for example? What IDP are you using? Have you got any instructions?

@jlattke it basically replaces Enterprise Connect. It can do SSO with smartcards. Super simple set up as long as you're using AD not AzureAD.

I have it mostly working, but get this error when I try to change the password.

@nvandam can you roughly describe how you set it up and what IDP you're using?

@petestanley , Here's the example .mobileconfig Apple has. Just change "example.com" to your domain. The upload that to Jamf and push to a 10.15 Mac. We are using AD.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>ExtensionData</key>
            <dict>
                <key>allowAutomaticLogin</key>
                <true/>
                <key>isDefaultRealm</key>
                <false/>
                <key>pwNotificationDays</key>
                <integer>15</integer>
                <key>requireUserPresence</key>
                <false/>
                <key>syncLocalPassword</key>
                <true/>
                <key>useSiteAutoDiscovery</key>
                <true/>
            </dict>
            <key>ExtensionIdentifier</key>
            <string>com.apple.AppSSOKerberos.KerberosExtension</string>
            <key>Hosts</key>
            <array>
                <string>.example.com</string>
            </array>
            <key>PayloadDisplayName</key>
            <string>Single Sign-on Extensions</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>com.apple.mdm.test.local.af517dc0-7353-0137-3524-3a008d11ab01.alacarte.single-sign-on-extension.79757090-7354-0137-3525-3a008d11ab01</string>
            <key>PayloadType</key>
            <string>com.apple.extensiblesso</string>
            <key>PayloadUUID</key>
            <string>79757090-7354-0137-3525-3a008d11ab01</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Realm</key>
            <string>EXAMPLE.COM</string>
            <key>TeamIdentifier</key>
            <string>apple</string>
            <key>Type</key>
            <string>Credential</string>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Kerberos SSO</string>
    <key>PayloadIdentifier</key>
    <string>com.apple.mdm.RJLmpb.local.af517dc0-7353-0137-3524-3a008d11ab01.alacarte</string>
    <key>PayloadOrganization</key>
    <string>Apple</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>af517dc0-7353-0137-3524-3a008d11ab01</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

Thanks @nvandam!

@nvandam Thanks a lot for this, extremely useful.

I'm trying to establish whether we'd be able to use the Single Sign On Extensions in our lab environment and remove the bind to AD altogether. I'm assuming a user account would need to be created on the system first, and then the system would prompt to sync up the login and AD passwords once logged in?

Also, in my testing folks aren't prompted to enter their AD credentials until they open up Safari which has a company home page based on SSO. How can I get the user to be prompted without opening up a web browser?

@jazminepena While it's certainly not impossible I think something like NoMAD LoginAD or Jamf Connect would be more beneficial in a lab environment if you're wanting/working toward a no-bind setup. With the SSO extension you would need a local account logged into the machine from the get go.

The SSO extension should be prompting you as soon as the config profile is installed on the machine. At least that has been my experience with it thus far. Are you using the mobileconfig shown above or the provided payload in jamf Pro?

@mainelysteve Thanks. After some further testing, it does indeed seem to prompt after logging in.

I'm using the mobileconfig from earlier in the thread.

Has anyone figured out a way to pass your account credentials to the SSO extension when you're logged in with an AD mobile account? Screen shot attached of my current SSO profile.

And does anyone know how I can set the option 'Sign-In Automatically' by default in the config profile?

@nvandam Did you figure out what was up with the "Configuration file does not specify default realm" error? I am also seeing that.

@UbiquitousChris , I have not. :(

@nvandam We have the exact same issue in our environment. It wasn't happening in during the beta cycles, we were always able to change our passwords when we tried... but it started popping up around the GA release of 19A602.

Have you opened a FB or support ticket with Apple, have they given you any details?