Configure a seamless SSO Okta FastPass experience for iOS devices
You can create an SSO extension profile that forwards requests from a browser or app to Okta Verify. This provides end users on managed devices with a seamless single sign-on (SSO) experience. End users are no longer required to click an extra browser prompt before they sign in through Okta Verify.
Okta tested this configuration using VM Workspace ONE UEM (AirWatch), but other iOS-supported mobile device management (MDM) software should work.
Before you begin
Verify that:
- Devices are managed
- Devices are running iOS 13 or iOS 14
- You are using the Safari browser
- You are familiar with these resources:
Start this procedure
-
Integrate Okta with your MDM software.
- In Workspace ONE, click RESOURCES (left ribbon bar) > Profiles & Baselines > Profiles.
- Click ADD, and then select Add Profile.
- Click Apple iOS.
- In VMware Workspace ONE UEM, go to Devices > Profiles.
- Click Device Profile.
- Configure the following settings:
Tab
Setting
Value
SSO Extension Extension Type Generic Extension Identifier com.okta.mobile.auth-service-extension
Type Credential Realm Okta Device Hosts Enter your Okta org domain without the protocol scheme.
For example, enter
yourdomain.example.com
, nothttps://yourdomain.example.com
Additional Settings - Certificate: Select None.
- Custom XML: Enter the Secret Key that you generated in the Okta Admin Console (see Configure Device Management for mobile devices) using the following syntax:
<dict><key>managementHint</key><string>enter-Secret-Key-here</string></dict>
General Name Enter a name Deployment Managed Assignment Type Auto Allow Removal Always Smart Groups Create or select an existing Smart Group applicable to the end users you’ve targeted for passwordless authentication:
- User Group: Create or select one or more User Groups.
- Platform and Operating System: Apple iOS 13.0.0 or later
Exclusions No -
Save and publish your changes.
If SSO Extension fails
If SSO Extension fails for any reason, the authentication flow falls back to the Universal Link. Reasons for SSO Extension failure include:
- An end user tries to access the protected resource through Chrome or Firefox
- An end user tries to access the protected resource through Safari from an unmanaged device
- SSO Extension MDM profile is not installed
End users see the "Additional setup required" message
If Okta Verify is installed but not already managed by your MDM software, end users are guided through the app management process before they can access device trust-secured apps. After completing the app management steps, end users need to sign out of their organization, and then sign in again, before accessing an app.