Configure a seamless SSO Okta FastPass experience for iOS devices

You can create an SSO extension profile that forwards requests from a browser or app to Okta Verify. This provides end users on managed devices with a seamless single sign-on (SSO) experience. End users are no longer required to click an extra browser prompt before they sign in through Okta Verify.

Okta tested this configuration using VM Workspace ONE UEM (AirWatch), but other iOS-supported mobile device management (MDM) software should work.

Before you begin

Verify that:

Start this procedure

  1. Integrate Okta with your MDM software.

    See Integrate Okta with your MDM software.

  2. In Workspace ONE, click RESOURCES (left ribbon bar) > Profiles & Baselines > Profiles.
  3. Click ADD, and then select Add Profile.
  4. Click Apple iOS.
  5. In VMware Workspace ONE UEM, go to Devices > Profiles.
  6. Click Device Profile.
  7. Configure the following settings:

    Tab

    Setting

    Value

    SSO ExtensionExtension TypeGeneric
    Extension Identifiercom.okta.mobile.auth-service-extension
    TypeCredential
    RealmOkta Device
    Hosts

    Enter your Okta org domain without the protocol scheme.

    For example, enter yourdomain.example.com, not https://yourdomain.example.com

    Additional Settings
    • Certificate: Select None.
    • Custom XML: Enter the Secret Key that you generated in the Okta Admin Console (see Configure Device Management for mobile devices) using the following syntax:
    • <dict><key>managementHint</key><string>enter-Secret-Key-here</string></dict>

    GeneralNameEnter a name
    DeploymentManaged
    Assignment TypeAuto
    Allow RemovalAlways
    Smart Groups

    Create or select an existing Smart Group applicable to the end users you’ve targeted for passwordless authentication:

    • User Group: Create or select one or more User Groups.
    • Platform and Operating System: Apple iOS 13.0.0 or later
    ExclusionsNo
  8. Save and publish your changes.

If SSO Extension fails

If SSO Extension fails for any reason, the authentication flow falls back to the Universal Link. Reasons for SSO Extension failure include:

  • An end user tries to access the protected resource through Chrome or Firefox
  • An end user tries to access the protected resource through Safari from an unmanaged device
  • SSO Extension MDM profile is not installed

End users see the "Additional setup required" message

If Okta Verify is installed but not already managed by your MDM software, end users are guided through the app management process before they can access device trust-secured apps. After completing the app management steps, end users need to sign out of their organization, and then sign in again, before accessing an app.

Next steps