Catalina Single Sign On

It can not be installed manually. It's an MDM only like Approved Kernel Extensions or PPPC profiles.

I've got the Credential Plist to work in our environment, huge thanks to @nvandam and @UbiquitousChris for their screenshots.

Does anyone have a redirect plist example? I'd like to test a URL SSO profile but I'm struggling put the plist together.

TIA

Gotta say, I'm sticking with Enterprise Connect and ignoring the SSO extension for now. The UX is better.

Hi,

Does somebody knows how to enable Kerberos SSO Extension verbose logs ?

We use successfully Kerberos Extension with passwords but would like to switch to user certificates using Yubikey.
In Kerberos Extension chooser certificates doesn't list.

Note: certificates come from our PKI (same as smartcards) and have the following attributes.

@barcollege is that feature available in jamf NOW?

I have it working as well for our onprem AD.
though I see that the user has to login with his/her email address and not with the username.
is there a way to change it to username instead of email address??

Can I use this code for Redirect Extension in iOS?

var authController : ASAuthorizationController?
let authProvider = ASAuthorizationSingleSignOnProvider(identityProvider: URL(string: "https://example.com")!)

@IBAction func logInWithMSAL(_ sender: Any) {

if self.authProvider.canPerformAuthorization {

let request = self.authProvider.createRequest()

request.requestedOperation = ASAuthorization.OpenIDOperation.operationLogin

self.authController = ASAuthorizationController(authorizationRequests: [request])

self.authController?.delegate = self

self.authController?.presentationContextProvider = self

self.authController?.performRequests()

} else {

print("failed to perform authorization")

}

}

Hi all, Great thread have this sort of working accept on password change I get the following error box even though I know I'meeting the password criteria which is min 8 characters, at least one upper case, a number and a symbol so a password like JamfPassword44! would be valid.

As I've been told the password failed if I log in with the previous password that tells me its incorrect

Now if I use the new password (the one that failed in the first screenshot) it works and I get the sync box:

So why am I getting the password failed when it works?

If anyone wants the document from Apple about all of this:

https://www.apple.com/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf

Where I will add the apple-app-site-association file for SSO extension?

In wwdc19 tech-talk videos they told to add a association file on server. My Question is that where I have to add this file "Identity provider" or "somewhere else"?

{ "authsrv": { "apps": [TeamId.com.example.sso] } }

@andrew.nicholas thanks for sharing. I've got the green dots up and running

@jr139, did you roll it out to all Mac devices in your environment. How did you manage to deploy the krb5.conf file?

added the krb5.conf but still get the error

@jr139, did you roll it out to all Mac devices in your environment. How did you manage to deploy the krb5.conf file?

@Naveen_R We're still testing it internally in our department. We are going to get everyone on Catalina and roll it out this spring (hopefully).

We didn't have to do anything with the krb5 file. We simply rolled out the configuration profile with the extensible single sign on payload and changed the variables in the payload. We are most likely going to be blocking password change on the Mac side and directing everyone to a staff portal webpage to change their password. Since we have a variety of devices (both Mac and Windows) used by staff, we figured it would be easier to point them all to one location rather than have multiple sets of directions.

Is there a way on new Mac setup for this to Auto Login?

We set the Mac up using Jamf Connect Login which creates the user account with details via AD but we then would like the SSO Extension to autologin as one less user step is good :)

when messing with the kerb5 and other changes to the SSO Extension, you will need to run the following before the changes will take effect.

pkill -9 KerberosExtension

has anyone been able to add the pwchangeURL redirect and if so how?

@ammonsc I just did, I added the following lines, and after pushing the updated configfile, when I go to change password it brought me to the page.

                <key>pwChangeURL</key>
                <string>https://your_url</string>

I have this mostly working in Catalina and basic Kerberos/SSO functionality is working.

We have an 802.1X password change script specified in our Enterprise Connect configuration that updates keychain passwords for things like WiFi and Outlook. I understand I need to create a LaunchAgent (as logged in user) with the trigger "com.apple.KerberosPlugin.ADPasswordChanged".

I've gotten this far with the LaunchAgent:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>KeepAlive</key>
    <true/>
    <key>Label</key>
    <string>com.myorg.KerberosPasswordChange</string>
    <key>RunAtLoad</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
        <string>-notification</string>
        <string>com.apple.KerberosPlugin.ADPasswordChanged</string>
        <string>-action</string>
        <string>/Library/Scripts/EnterpriseConnect/8021xpasschange.sh</string>
    </array>
</dict>
</plist>

Has anyone done this successfully with the Kerberos Single Sign-On Extension?

Thanks!

Has anyone had any luck getting their extension to fire? I believe I've got everything setup but it just doesn't trigger and I have no idea why.

@yuanyasmine I had to log out and log back in to get the extension to show up after deploying the configuration profile.

I've started working on getting the kerberos extension to replicate our current Enterprise Connect needs. I see in the documentation that there is supposed to be an example plist entry for something to watch for its distributed notifications, but it doesn't appear to be there. @jtrant I see you were working on one, did you have success with what you have here or has anyone else been able to get one set up successfully to run their password change script when the user changes it?

@sheltond3 , no I wasn't able to get it to work.

I configured notification and action, and created a LaunchAgent running on my machine but it didn't fire. There's a "sample distributed notification" field but I can't figure out what that should be doing, or if it's even needed.

thanks for getting back to me. I'm meeting with our Engineer rep from Apple on wednesday in person to work out some stuff with the Kerberos Extension and some other open tickets, i'll post here what we work out for the launchd and such.

@jtrant I believe that "sample distributed notification" is the sample swift script above the sample shell script, since it looks like thats what handles the action and notification flags being passed. The real kicker is the line that says the developer tools needs to be installed to runs said swift script.