Catalina Single Sign On

@UbiquitousChris you've saved my life. Thank you!

@sheltond3, this is really useful, thanks. Thanks for also sharing your script on Github!
@Karl941 , thanks for pointing me to that guide. Very helpful!

Hello guys, Do you know how to prompt users to sync passwords using a script? I wrote a bash script to compare the dates of the password changes but don't have anything to trigger the sync screen.
I've been testing the password sync for a while and always worked with me but I was changing the password from the kerberos extension tool.
The thing is that now in production, users have other ways to change passwords, like accessing a portal or using AI. So if they change passwords using other tools, they are not prompted to sync their passwords in the extension, even if the user signs out and signs in again.

Hope someone can help. Thank you!

Has anyone found a way to determine if the user is signed into the Kerberos SSO tool? I have an extension attribute for Enterprise Connect but since Kerberos SSO tool is built into the OS I can't figure out a way to do so with the new configuration.

@jtrant you can use the command

app-sso -I AD-REALM

That command is nice but I the only way I can seem to make it work is to save its output to a file and then use defaults to read that. I don't like the idea of using an EA to write anything, and less likely to use it to clean up whats been written. One syntax misstep and you're in for a world of hurt on all devices.

edit n/m, making it output json allows for easier manipulation.

app-sso -i $ADREALM -j | grep user_name | awk '{print $3}'

@jtrant , you can read the values of various keys available in the com.apple.appSSOAgent.plist. It is user based plist which means each and every account present in the device will have this plist. Path to plist file: ~/Library/Preferences/com.apple.appSSOAgent.plist
i am using the same approach to read whether my users have completed the password sync activity or not through Extension Attributes, because users do have an option to cancel the password sync prompt.
If user has Signed into Kerberos tool then you will have various values like Last connected Date and Time, Last Site Name and so on...

Let me know if you need the bash code, i can share it.

Hi @Naveen_R, @boberito

Here's what I've come up with so far:

#!/bin/bash

loggedInUser=$( /usr/bin/stat -f %Su "/dev/console" )
adDomain=$(/usr/bin/app-sso -l -j | grep -- '"' | cut -d'"' -f2)
adUser=$(/usr/bin/app-sso -i "$adDomain" -j | grep user_name | cut -d'"' -f4)

if [[ ${loggedInUser} == "root" ]]  || [[ ${loggedInUser} == "localadmin" ]] || [[ ${loggedInUser} == "adobeinstall" ]] || [[ ${loggedInUser} == "_mbsetupuser"]]; then 
    result="Local"
else
    if [[ -e "/Library/ManagedPreferences/com.apple.extensiblesso.plist" ]]; then
    echo "Kerberos SSO is installed, continuing..."
        elif [[ ${adUser} == "" ]]; then
            result="No"
        else
            result="Yes"
    fi
fi

echo  "<result>${result}</result>"

The 'Local' result is used to identify a not logged in result because a non end-user is logged in. This may or not be useful to you.

Let me know what you guys think!

Justin.

Here is an EA that grabs a bunch of SSO info. Might not be the most efficient way, but it works for us.

~Scott

#!/bin/bash

    loggedInUser=$( /usr/bin/stat -f %Su "/dev/console" )

        /usr/bin/su - "${loggedInUser}" -c "/usr/bin/app-sso -i YOURDOMAIN.COM" > /Users/Shared/com.apple.KerberosSSO.attributes.plist


        ssoLoginTest=$( /usr/libexec/PlistBuddy -c "Print:login_date" /Users/Shared/com.apple.KerberosSSO.attributes.plist 2>&1 )

        if [[ ${ssoLoginTest} == *"Does Not Exist"* ]]; then

            # User NOT logged into the single sign-on extension

            result="${loggedInUser} NOT logged into Single Sign-on Extension"

        else

            result1=$( /usr/libexec/PlistBuddy -c "Print:upn" /Users/Shared/com.apple.KerberosSSO.attributes.plist | /usr/bin/awk -F@ '{print $1}' )
            result2=$( /usr/libexec/PlistBuddy -c "Print:password_expires_date" /Users/Shared/com.apple.KerberosSSO.attributes.plist | /usr/bin/awk -F@ '{print $1}' )
            result3=$( /usr/libexec/PlistBuddy -c "Print:password_changed_date" /Users/Shared/com.apple.KerberosSSO.attributes.plist | /usr/bin/awk -F@ '{print $1}' )
            result4=$( /usr/libexec/PlistBuddy -c "Print:login_date" /Users/Shared/com.apple.KerberosSSO.attributes.plist | /usr/bin/awk -F@ '{print $1}' )
            result5=$( /usr/libexec/PlistBuddy -c "Print:realm" /Users/Shared/com.apple.KerberosSSO.attributes.plist | /usr/bin/awk -F@ '{print $1}' )
            result6=$( /usr/libexec/PlistBuddy -c "Print:site_code" /Users/Shared/com.apple.KerberosSSO.attributes.plist | /usr/bin/awk -F@ '{print $1}' )

        fi

echo "<result>Kerberos SSO Signed-in User: ${result1}
AD Password Expiration Date: ${result2}
AD Password Last Changed Date: ${result3}
Last SSO Login Date: ${result4}
Kerberos Realm: ${result5}
Kerberos Site Code: ${result6}
</result>"

exit 0

Do you actually get a prompt when your password is within the pwNotificationDays? Can anyone provide a screenshot?

In testing this for the first time, my local password did not sync. I changed it again and it synced. Does the SSO extension know to check this and prompt you to sync them if they are out of sync? If so, how often does it check?

Is there any way to setup the Kerberos SSO so it doesn't run under some user accounts in Catalina? We've got a non-admin account used as a 'guest' account on machines that we'd rather not get synced to someone's AD password. I tried a script run at login-every with outset that kills it, but it relaunches. Relaunch would normally be good, but not in this case. I guess I could setup a launchdaemon for the user account that checks if its running and kills it every 10 seconds or something?

No. File feedback.

Anyone having to use the kdestroy command to get this kerberose extension working again? I have to do this 2-3 times a week. When we had NoMAD configured we did not see this issue. Is there something I need to look at in the configuration profile to stop this from happening?

@stutz Unfortunately I have a question rather than an answer for you. We still haven't explored options other than binding but it's on the radar. Is there a reason you're trying out the kerberos extension rather than NoMAD? I've heard a lot of good things about it so this move makes me curious. Thanks.

@jhuls We use Nomad on machines running legacy or outdated OS versions i.e. Sierra, High Sierra and Mojave. Nothing against it as it's an excellent tool, but not having to install another package just to get this simple functionality was a major motivation to use the SSO/Kerberos extension on our Catalina and up machines.

@jhuls I echo what @mainelysteve said. One less third party package to manage. With this extension that functionality is built into the OS and won't have to rely on a third party developer fixing issues and making it compatible with newer releases.

Thanks for the responses. I actually figured that aspect was a given but didn't know if there was anything regarding features or bugs that made those decisions.

Nomad definitely has more features, such as managing wifi certificates and mounting network shares.

@SteveC Absolutely. It's best to list your needs and determine which one will fit the environment best. For us we don't use wifi certs and my staff haven't used network shares since the Stone Age. It boiled down to ensuring we got accurate accounting in PaperCut and that the user got placed in the correct web filter group, both of which are AD controlled.

Has anyone utilized the triggers for the SSO/Kerberos extension? According to the guide it'll send a distributed notification when the corporate network is online that could trigger a script that would mount a network share. See page 17.
https://www.apple.com/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf

@_ssrussell If you haven't seen it yet, HCS has a really good article on the Kerberos SSO extension and includes documentation on how to implement scripts (they provide the necessary Distributed notification listener app as well.)

https://hcsonline.com/images/PDFs/Jamf_Kerberos.pdf

@stutz

You on Big Sur? Known issue with Big Sur and kerberos cache. If you have access to appleseed checkout release notes for 11.4 beta 1

@RBlount had a quick read. Are you, or anyone here, able to clarify the benefits of using the SSO extension over and above using NoMAD, which already has the built in script functionality/mounting of drives and other various features OOB. I appreciate the SSO Kerb extension is now apart of the Apple MDM framework/config profiles and built into the OS from Catalina onwards, but reading all the above posts, seems like a lot of extra work, and configuration and effort is required to be able to deliver what NoMAD (free version) provides with minimal config. Happy to be wrong, as keen to make this jump to the more supported built in/standard framework, if the gains are of benefit.