Configure a seamless SSO Okta FastPass experience for iOS devices

You can create an SSO extension profile that forwards requests from a browser or app to Okta Verify. This provides end users on managed devices with a seamless single sign-on (SSO) experience. End users are no longer required to click an extra browser prompt before they sign in through Okta Verify.

Okta tested this configuration using VM Workspace ONE UEM (AirWatch), but other iOS-supported mobile device management (MDM) software should work.

Before you begin

Verify that:

Devices are managed
Devices are running iOS 13 or iOS 14
You are using the Safari browser
You are familiar with these resources:
- VMware: Configure an SSO Extension Profile
- Apple:
  - Extensible Single Sign-On Kerberos MDM payload settings for Apple devices
  - Introducing Extensible Enterprise SSO

Start this procedure

Integrate Okta with your MDM software.

See Integrate Okta with your MDM software.
In Workspace ONE, click RESOURCES (left ribbon bar) > Profiles & Baselines > Profiles.
Click ADD, and then select Add Profile.
Click Apple iOS.
In VMware Workspace ONE UEM, go to Devices > Profiles.
Click Device Profile.

Configure the following settings:

Tab	Setting	Value
SSO Extension	Extension Type	Generic
	Extension Identifier	`com.okta.mobile.auth-service-extension`
	Type	Credential
	Realm	Okta Device
	Hosts	Enter your Okta org domain without the protocol scheme. For example, enter `yourdomain.example.com`, not `https://yourdomain.example.com`
	Additional Settings	Certificate: Select None. Custom XML: Enter the Secret Key that you generated in the Okta Admin Console (see Configure Device Management for mobile devices) using the following syntax: `<dict><key>managementHint</key><string>enter-Secret-Key-here</string></dict>`
General	Name	Enter a name
	Deployment	Managed
	Assignment Type	Auto
	Allow Removal	Always
	Smart Groups	Create or select an existing Smart Group applicable to the end users you’ve targeted for passwordless authentication: User Group: Create or select one or more User Groups. Platform and Operating System: Apple iOS 13.0.0 or later
	Exclusions	No

Save and publish your changes.

If SSO Extension fails

If SSO Extension fails for any reason, the authentication flow falls back to the Universal Link. Reasons for SSO Extension failure include:

An end user tries to access the protected resource through Chrome or Firefox
An end user tries to access the protected resource through Safari from an unmanaged device
SSO Extension MDM profile is not installed

End users see the "Additional setup required" message

If Okta Verify is installed but not already managed by your MDM software, end users are guided through the app management process before they can access device trust-secured apps. After completing the app management steps, end users need to sign out of their organization, and then sign in again, before accessing an app.

Next steps

Add an authentication policy rule for mobile