Has anyone setup Single Sign on with Catalina OS? I heard about it in during their last event. I am up to date with the Catalina Beta but cannot find anything to set it up. https://developer.apple.com/videos/play/wwdc2019/303/ towards the end of this video is where it is mentioned. We want to have the Mac users login to their computers the same way our PC (All PCs are joined to Azure) users do by using their email address and password. Any recommendations?
Question
Catalina Single Sign On
+9@jmariani , I hadn't played with it during the betas, so I can't confirm it ever worked for us. I do not have a ticket open for that right now, no. But I can.
@ammonsc , I have tried changing that and rebooted and still nothing. I wasn't sure if I had it setup incorrectly because it says that capitalization matters, which I think I have it right, but honestly it may be wrong.
Just checking if others have this working properly? I am using the posted sample PLIST and changing the domain and realm. I can log in to an AD account fine, but (1) the extension is showing my password never expires, which is not true and (2) it is not sync my password with my local account. If I log out, I have to use my original local password and not my AD password to log back in.
+11@Vanegas , I believe it was introduced in 10.15.0. The payload settings are at like the bottom of the list in config profile creation view.
+11I'm guessing one of the options missing with this is the password-sync feature, checking if AD and local account passwords are different.
+8After looking at the configuration profile this seems very familiar to Apple Enterprise Connect. Am I correct to assume that there is not yet a way to use this with an off premise provider like okta?
@nvandam I figured something out. If you add the following lines to /etc/krb5.conf, the extension will function again.
[libdefaults]
default_realm = YOUR.REALM.HEREI have the same issue.. I;m working with my local apple tech team, but haven't figured out anything...
+6@UbiquitousChris I looked for that /etc/krb5.conf I actually dont have that file... I have a krb5.keytab and that's it in that location
+1
Have tried SSO see screenshot, still can't get it to auto load and fill in their AD credentials automatically. Have tried adding the etc/krb5.conf and no joy. Wondered what other people have done on here to get it to work.
+7@VladCabrera Hosts are the hosts that you want the extension to perform authentication for.
i.e. kerberos-site.mycompany.com
+22Most likely you want your hosts to be ".company.com", notice the period. That way it covers all addresses under company.com.
+6@bmichael thanks for creating this thread! I've combed through it and found some helpful information (kudos to @nvandam ) and got this up and running in our test environment. We mainly wanted it for syncing AD passwords with local accounts. Hoping to roll it out to about 650 MacBook Air users after a little more testing.
+7The only issue I'm seeing with the SSO is the fact that it states my password doesn't expire. Is anyone else seeing this behavior?
+9When I would first deploy it it would report that my password never expires. Once I logged out and back in it would report accuratly.
+11I'm consistently getting "Password doesn't expire" plus when I navigate to internal sites that use SSO Safari just hangs on a blank screen. If I take out the leading "." in hosts, the menubar icon just says "Updating Updating" and Safari forwards to my company's SSO host (I'm assuming this is basically just what would happen without the plugin). Enterprise Connect with as many matching flags as are supported works great. I wondering if maybe I need a redirect style profile that points to some URL like https://sso.mycompany.com/somethingsomething.
A little bit more documentation on this would be lovely.
+7I added the krb5.conf file, and now, when I run a kinit, it's actually prompting for my domain password, and giving me Kerberos ticket. I ran a kdestroy and have been authenticating through some internal sites, but it will not give me a new Kerberos ticket. I used the plist by @petestanley above and only changed the host and realm. Any suggestions?
+7Hello everyone, I'm trying to manually install the SSO mobileconfig file posted by nvandam above, but I keep getting the following message: "The “Single Sign On Extension” payload can only be installed from a user-approved MDM server."
BTW, I'm using Profile Manager.
Any ideas?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.