Configure an SSO extension on managed macOS devices
On managed devices, the most secure and seamless way to authenticate on Safari and in-app browsers is through the Apple Single Sign-On (SSO) extension. The SSO extension hides the Open Okta Verify browser prompt and introduces phishing resistance properties to the authentication flow.
The SSO extension isn't supported on Chrome or Firefox. These browsers use a local web server to communicate with Okta Verify, so they don't require an SSO extension to hide the Open Okta Verify prompt or to enable phishing resistance.
Before you begin
Verify that the following conditions are met:
-
The device is managed.
-
The device is on a supported operating system. See Supported platforms, browsers, and operating systems.
-
Okta is configured as a Certificate Authority with a dynamic SCEP challenge. See Configure Okta as a CA with dynamic SCEP challenge for macOS with Jamf Pro
-
You're familiar with these resources:
You can create the SSO extension in Jamf Pro or Microsoft Endpoint Manager:
If you're using different MDM software, see Extensible Single Sign-On MDM payload settings for Apple devices. Use the configuration values provided in this procedure.
Create an SSO extension profile in Jamf Pro
-
In Jamf Pro, go to .
-
Click + New.
-
Click the Options tab.
-
Scroll down, and then click Single Sign-On Extensions.
-
Click +Add.
-
On the Single Sign-on Extensions page, configure the following fields:
-
Extension Identifier: com.okta.mobile.auth-service-extension
-
Team Identifier: B7F62B65BN
-
Sign-On Type: Credential
-
Realm: Okta Device
-
Hosts: Enter your Okta org domain, for example, acme.okta.com.
-
If you use a custom URL domain in your org, click + Add, and then enter your custom URL domain. Don't include https:// or any other protocol prefix.
After you complete this step, you have two domains, for example, acme.okta.com and id.acmecorp.biz.
-
-
Click Save.
Create an SSO extension profile in Microsoft Endpoint Manager
If you're using different MDM software, see Extensible Single Sign-On MDM payload settings for Apple devices. Use the configuration values provided in this procedure.
-
In the Microsoft Endpoint Manager admin center, go to Devices.
-
Click Configuration Profiles.
-
Click + Create profile.
-
On the Basics page, enter the following:
-
Platform: macOS
-
Profile Type: Select Settings catalog and click Create.
-
-
Click +Add.
-
On the Basics page, enter the following:
-
Name: Enter a name for the profile, for example, macOS seamless SSO.
-
Description: Enter an optional description for the profile.
-
Platform: This is pre-set to macOS.
-
-
On the Configuration settings page, click +Add settings and enter the following information through the Settings picker:
-
Select
. -
Select the following settings: Extension Identifier, Team Identifier, Sign-On Type, Realm, and Hosts.
Close the Settings picker.
-
-
On the Single Sign-on Extensions page, configure the following fields:
-
Extension Identifier: com.okta.mobile.auth-service-extension
-
Team Identifier: B7F62B65BN
-
Sign-On Type: Credential
-
Realm: Okta Device
-
Hosts: Enter your Okta org domain, for example, acme.okta.com.
-
If you use a custom URL domain in your org, click + Add, and then enter your custom URL domain. Don't include https:// or any other protocol prefix.
After you complete this step, you have two domains, for example, acme.okta.com and id.acmecorp.biz.
-
-
Click Next.
-
On the Scope Tags page, add any necessary tags and click Next.
-
On the Create device configuration policy page, under the Assignments tab, assign the app to groups. Click Next.
-
On the same page, under the Review + create tab, review the app configuration, and then click Create.
SSO extension failures
If the SSO extension fails, the authentication flow falls back to the sign-in page. The SSO extension might fail in the following situations:
-
The SSO extension MDM profile isn't installed.
-
Okta hasn't been configured as a Certificate Authority with dynamic SCEP.
-
The SSO extension profile in Jamf Pro isn't configured correctly.
-
A user tried to access an Okta-protected resource using Chrome (without silent access) or Firefox.
-
A user tried to access an Okta-protected resource through Safari or an in-app browser from an unmanaged device.
-
The extension identifier isn't correct.
-
The user is trying to access the resource from an org that isn't configured under Hosts.
Related topics
Configure Okta as a CA with dynamic SCEP challenge for macOS with Jamf Pro