Posted on 01-17-2024 09:52 AM
Hello,
I am attempting to configure the Single Sign-On Extension Config Profile, but opening it up I am immediately at a loss for how to do so.
What is the difference between the Payload Type SSO and Kerberos?
Are there instructions somewhere for how to configure both? Depending on which we choose to use?
Any guidance on how to configure this is greatly appreciated.
Infrastructure information:
We are hosting Jamf Pro on premises.
Our Mac Computers are bound to AD.
01-17-2024 10:33 AM - edited 01-17-2024 10:36 AM
On macOS, SSO comes from Single Sign On App Extension. For example Microsofts SSOe is built in to the Microsoft Company Portal app, and Okta's SSOe is built in to the Okta Verify App. Once the respective Application for the SSOe you need to use is on the device, you can deploy a configuration profile to enable SSOe. As far as how to build the configuration profile, the vendor should have documentation. I have put Microsoft's and Okta's documentation below.
Apple no longer designs macOS with Domain Binding in mind. I would not spend cycles trying to get anything involving domain binding to work, it won't end well.
Microsoft:
Direct download for the comp portal app: https://go.microsoft.com/fwlink/?linkid=853070
https://learn.microsoft.com/en-us/mem/intune/apps/apps-company-portal-macos
How to do the thing: https://learn.microsoft.com/en-us/mem/intune/configuration/use-enterprise-sso-plug-in-macos-with-int...
Okta:
https://apps.apple.com/us/app/okta-verify/id490179405
How to do the thing: https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/config-credential-sso-ext-mac...
Posted on 01-17-2024 10:40 AM
Hi AJPinto,
So using the Single Sign-On Extension in Jamf requires a program to be downloaded and installed? So if I want to use the Kerberos Payload type for the Single SIgn-on Extension Configuration Profile, what would I need?
Posted on 01-17-2024 12:25 PM
Apple's SSO extension is built into the OS and appears as a menu bar app. Kerberos behaves like a bind and requires on-prem access to AD. SSO is a redirect to your IDP. I thought it was an either or in terms of Kerberos or SSO but could be wrong.
I think these were the documents I used for the setup.
https://www.apple.com/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf
https://support.apple.com/guide/deployment/kerberos-sso-extension-depe6a1cda64/web
Posted on 01-17-2024 12:39 PM
I suppose, what exactly are you trying to configure? The tickets (Kerberos or otherwise) need to come from the correct IPD. The tool you need to configure to generate the tickets will differ based on what IDP you are using. I may have over complicated the answer as most things have moved to OAuth2 for ticket authentication.
If it's just Apples SSO extension that you are after which will give you Kerberos tickets, that is built in to macOS and just needs a Configuration Profile. It does not have full functionality for mobile accounts though, PW sync for example is disabled for mobile accounts. This just supports on prem AD, and not AAD.
apple.com/za/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf
How to do the thing: HCS Technology Group - A Guide for Configuring the macOS Catalina Kerberos Single Sign-On Extension ...