Configure an SSO extension on iOS devices
On managed iOS devices, you must create an SSO extension profile to enable Okta FastPass authentication that doesn't show sign-in prompts. The SSO extension forwards requests from a browser or app to Okta Verify. Therefore, the browser or app doesn't prompt users to open Okta Verify.
Before you begin
Ensure that your environment meets these conditions:
- Devices are managed.
- The device operating system and browsers are supported. See Supported platforms for Okta Verify.
- You're familiar with these resources:
Start this task
Integrate Okta with your MDM software. See Integrate Okta with your MDM software.
- In Workspace ONE, click .
- Click ADD, and then select Add Profile.
- Click Apple iOS.
- In VMware Workspace ONE UEM, go to .
- Click Device Profile.
- Configure the following settings:
SSO Extension Extension Type Generic Extension Identifier com.okta.mobile.auth-service-extension Type Credential Realm Okta Device Hosts
Enter your Okta org domain without the protocol scheme.
For example, enter yourdomain.example.com, not https://yourdomain.example.com
- Certificate: Select None.
- Custom XML: Enter the Secret Key that you generated in the Okta Admin Console (see Configure Device Management for mobile devices) using the following syntax:
For more configuration settings, see Managed app configurations for iOS devices.
General Name Enter a name Deployment Managed Assignment Type Auto Allow Removal Always Smart Groups
Create or select an existing Smart Group applicable to the users you've targeted for passwordless authentication:
- User Group: Create or select one or more User Groups.
- Platform and Operating System: Apple iOS 13.0.0 or later
Save and publish your changes.
If the SSO extension fails, users click a deep link to open Okta Verify. The SSO extension might fail in these situations:
- Users try to access an Okta-protected resource from a browser or a native app that uses WebView.
- The SSO extension MDM profile isn't installed.
If Okta Verify is installed but not managed by your MDM software, users receive this message: Additional setup required. A wizard guides the users through the device management setup. After they complete the steps, users must sign out of their organization, and then sign in again, before they can access apps protected by Okta.