Configure an SSO extension on iOS devices

On managed iOS devices, you must create an SSO extension profile to enable Okta FastPass authentication that doesn't show sign-in prompts.

The SSO extension forwards requests from a browser or app to Okta Verify so that users aren't prompted to open Okta Verify.

Before you begin

Ensure that your environment meets these conditions:

• Devices are managed.

• The device operating system and browsers are supported. See Supported platforms for Okta Verify.

• You're familiar with these resources:

  • VMware: Configure an SSO Extension Profile

  • Apple: Extensible Single Sign-On Kerberos MDM payload settings for Apple devices, Introducing Extensible Enterprise SSO

Start this task

1. Integrate Okta with your MDM software. See Integrate Okta with your MDM software.

2. In Workspace ONE, click RESOURCESProfiles & BaselinesProfiles.

3. Click ADD, and then select Add Profile.

4. Click Apple iOS.

5. In the Workspace ONE Unified Endpoint Management (UEM) tool, go to DevicesProfiles.

6. Click Device Profile.

7. Configure the following settings:

   Tab	Setting	Value
   SSO Extension	Extension Type	Generic
   	Extension Identifier	com.okta.mobile.auth-service-extension
   	Team Identifier	Enter the 10-character team identifier of your SSO app extension generated by Apple. B7F62B65BN
   	Type	Credential
   	Realm	Okta Device
   	Hosts	Enter your Okta org domain without the protocol scheme. For example, enter yourdomain.example.com, not https://yourdomain.example.com
   	Additional Settings	Certificate: Select None. Custom XML: Enter the Secret Key that you generated in the Okta Admin Console (see Configure Device Management for mobile devices) using the following syntax: <dict><key>managementHint</key><string>enter-Secret-Key-here</string></dict> For more configuration settings, see Okta Verify configurations for iOS devices.
   General	Name	Enter a name to identify your profile.
   	Deployment	Managed
   	Assignment Type	Auto
   	Allow Removal	Always
   	Smart Groups	Create or select an existing Smart Group applicable to the users you've targeted for passwordless authentication: User Group: Create or select one or more user groups. Platform and Operating System: Apple iOS13.0.0 or later
   	Exclusions	No

8. Save and publish your changes.

SSO extension failure

If the SSO extension fails, users click a deep link to open Okta Verify. The SSO extension might fail in these situations:

• Users try to access an Okta-protected resource from a browser or app that uses WebView.

• The SSO extension MDM profile isn't installed.

User experience

If Okta Verify is installed but isn't managed by your MDM software, users receive an Additional setup required message. A wizard guides the users through the device management setup.

After they complete the steps, users must sign out of their org, and sign in again before they can access apps protected by Okta.

Next steps

Add an authentication policy rule for mobile