Configure a seamless SSO Okta FastPass experience on macOS devices

Depending on your configuration, end users will have a seamless or non-seamless Okta FastPass experience:

  • Seamless: End users don’t see additional Okta Verify browser prompts. Okta Verify silently signs in the user or prompts the user for Touch ID when they access an org or application that requires access.

  • Non-seamless (default): End users are required to click an extra browser prompt before they sign in through Okta Verify. For example:

  • The image shows an example of an Okta Verify browser prompt.

    or

    The image shows an example of an Okta Verify browser prompt.

You can provide end users on managed devices with a seamless single sign-on (SSO) experience by creating an SSO extension profile that automatically forwards requests from a browser or app to Okta Verify.

Non-Safari browsers, such as Chrome or Firefox, do not require additional configuration to support a seamless SSO Okta FastPass experience on macOS devices that are managed or not managed.

Before you begin

Verify that the following conditions are met:

Start this procedure

  1. Create an SSO extension profile in your mobile device management (MDM) software, to optimize the end-user experience on Safari and Native apps.

  2. See Create an SSO extension profile in Jamf Pro.

  3. Optional. Configure Okta FastPass, to optimize the passwordless authentication experience for end users on Chrome.

    See Configure Okta FastPass.

    The following table details when an Okta FastPass experience is supported:

    Browser or app

    Devices that are managed + SSO extension is configured

    Devices that are managed + SSO is not configured

    Devices that are not managed

    Safari

    Yes

    No

    No

    Chrome and Firefox

    Yes*

    Note: Okta FastPass can be triggered silently or it can require the end user to click a browser prompt. To allow end users to prevent the Open Okta Verify prompt, see Let users skip the Open Okta Verify prompt.

    Native apps that redirect to the default browser for authentication (for example, Slack, Zoom, and Box).

    Yes, depending on the default browser of the device (see the previous table rows).

    Native apps that use embedded WebView (for example, Apple WKWebView, or Office 365).

    Yes

    No

    No

    * Okta Verify must be running in the background for a seamless end-user experience.

Create an SSO extension profile in Jamf Pro

Okta tested this configuration using Jamf Pro, but other macOS-supported mobile device management (MDM) software should work.

If you're using different MDM software, see Extensible Single Sign-On MDM payload settings for Apple devices for configuration support and use the configuration values that are provided in this procedure.

  1. In Jamf Pro, go to Computers > Configuration Profiles.
  2. Click + New.
  3. Click the Options tab.
  4. Scroll down, and then click Single Sign-On Extensions.
  5. Click +Add.
  6. On the Single Sign-on Extensions page, enter the following:
    1. Extension Identifier: Enter com.okta.mobile.auth-service-extension.
    2. Team Identifier: Enter B7F62B65BN.
    3. Sign-On Type: Select Credential.
    4. Realm: Enter Okta Device.
    5. Hosts: Enter your Okta org domain. For example, acme.okta.com.
    6. If you implement a custom URL domain in your org, click + Add, and then enter your custom URL domain. Do not include the protocol scheme (for example, don't include https://). When complete, you'll have two domains:

      • org.example.com
      • id.example.com

  1. Click Save.

If the SSO extension fails, the authentication flow falls back to the sign-in page. The following reasons might cause the SSO extension to fail:

  • The SSO extension MDM profile isn't installed
  • The SSO extension profile in Jamf Pro isn't configured incorrectly
  • An end user tried to access the protected resource through Chrome (without silent access) or Firefox
  • An end user tried to access the protected resource through Safari from an unmanaged device
  • The Extension Identifier isn't correct
  • The org that the end user is trying to access isn't configured under Hosts

Related topics