Configure an SSO extension on iOS devices

On managed iOS devices, you must create an SSO extension profile to enable Okta FastPass authentication that doesn't show sign-in prompts.

The SSO extension forwards requests from a browser or app to Okta Verify so that users aren't prompted to open Okta Verify.

Before you begin

Ensure that your environment meets these conditions:

Start this task

  1. Integrate Okta with your MDM software. See Integrate Okta with your MDM software.

  2. In Workspace ONE, click RESOURCESProfiles & BaselinesProfiles.

  3. Click ADD, and then select Add Profile.

  4. Click Apple iOS.

  5. In the Workspace ONE Unified Endpoint Management (UEM) tool, go to DevicesProfiles.

  6. Click Device Profile.

  7. Configure the following settings:

    Tab

    Setting

    Value

    SSO Extension Extension Type Generic
    Extension Identifier com.okta.mobile.auth-service-extension

    Team Identifier

    Enter the 10-character team identifier of your SSO app extension generated by Apple.

    B7F62B65BN

    Type Credential
    Realm Okta Device

    Hosts

    Enter your Okta org domain without the protocol scheme.

    For example, enter yourdomain.example.com, not https://yourdomain.example.com

    Additional Settings

    General Name Enter a name to identify your profile.
    Deployment Managed
    Assignment Type Auto
    Allow Removal Always

    Smart Groups

    Create or select an existing Smart Group applicable to the users you've targeted for passwordless authentication:

    • User Group: Create or select one or more user groups.
    • Platform and Operating System: Apple iOS13.0.0 or later
    Exclusions No
  8. Save and publish your changes.

SSO extension failure

If the SSO extension fails, users click a deep link to open Okta Verify. The SSO extension might fail in these situations:

  • Users try to access an Okta-protected resource from a browser or app that uses WebView.

  • The SSO extension MDM profile isn't installed.

User experience

If Okta Verify is installed but isn't managed by your MDM software, users receive an Additional setup required message. A wizard guides the users through the device management setup.

After they complete the steps, users must sign out of their org, and sign in again before they can access apps protected by Okta.

Next steps

Add an authentication policy rule for mobile