Configure an SSO extension on iOS devices

On managed iOS devices, you must create an SSO extension profile to enable Okta FastPass authentication that doesn't show sign-in prompts. The SSO extension forwards requests from a browser or app to Okta Verify. Therefore, the browser or app doesn't prompt users to open Okta Verify.

Before you begin

Ensure that your environment meets these conditions:

Start this task

  1. Integrate Okta with your MDM software. See Integrate Okta with your MDM software.

  2. In Workspace ONE, click RESOURCESProfiles & BaselinesProfiles.
  3. Click ADD, and then select Add Profile.
  4. Click Apple iOS.
  5. In VMware Workspace ONE UEM, go to DevicesProfiles.
  6. Click Device Profile.
  7. Configure the following settings:

    Tab

    Setting

    Value

    SSO ExtensionExtension TypeGeneric
    Extension Identifiercom.okta.mobile.auth-service-extension

    Team Identifier

    B7F62B65BN

    TypeCredential
    RealmOkta Device
    Hosts

    Enter your Okta org domain without the protocol scheme.

    For example, enter yourdomain.example.com, not https://yourdomain.example.com

    Additional Settings
    GeneralNameEnter a name
    DeploymentManaged
    Assignment TypeAuto
    Allow RemovalAlways
    Smart Groups

    Create or select an existing Smart Group applicable to the users you've targeted for passwordless authentication:

    • User Group: Create or select one or more User Groups.
    • Platform and Operating System: Apple iOS 13.0.0 or later
    ExclusionsNo
  8. Save and publish your changes.

Troubleshooting

If the SSO extension fails, users click a deep link to open Okta Verify. The SSO extension might fail in these situations:

  • Users try to access an Okta-protected resource from a browser or a native app that uses WebView.
  • The SSO extension MDM profile isn't installed.

User experience

If Okta Verify is installed but not managed by your MDM software, users receive this message: Additional setup required. A wizard guides the users through the device management setup. After they complete the steps, users must sign out of their organization, and then sign in again, before they can access apps protected by Okta.

Next steps

Add an authentication policy rule for mobile