Configure an SSO extension for managed macOS devices

On managed devices, the most secure and seamless way to authenticate on Safari and in-app browsers is with Apple's SSO extension. The SSO extension hides the Open Okta Verify browser prompt, and introduces phishing resistance properties to the authentication flow.

Before you begin

Verify that the following conditions are met:

• The device is managed.
• The device is on a supported operating system. See Supported platforms, browsers, and operating systems for additional information.
• Okta is configured as a Certificate Authority with a dynamic SCEP challenge. See Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro
• You're familiar with these resources:
  • Jamf Pro: Computer Configuration Profiles
  • Apple: Extensible Single Sign-On MDM payload settings for Apple devices, Introducing Extensible Enterprise SSO

Start this task

1. Create an SSO extension profile in your mobile device management (MDM) software. See Create an SSO extension profile in Jamf Pro.

2. Configure Okta FastPass for a passwordless authentication experience. See Configure Okta FastPass.

Create an SSO extension profile in Jamf Pro

If you're using different MDM software, see Extensible Single Sign-On MDM payload settings for Apple devices. Use the configuration values that are provided in this procedure.

1. In Jamf Pro, go to Computers > Configuration Profiles.
2. Click + New.
3. Click the Options tab.
4. Scroll down, and then click Single Sign-On Extensions.
5. Click +Add.
6. On the Single Sign-on Extensions page, enter the following information:
   1. Extension Identifier: Enter com.okta.mobile.auth-service-extension.
   2. Team Identifier: Enter B7F62B65BN.
   3. Sign-On Type: Select Credential.
   4. Realm: Enter Okta Device.
   5. Hosts: Enter your Okta org domain. For example, acme.okta.com.
   6. If you implement a custom URL domain in your org, click + Add, and then enter your custom URL domain. Don't include the protocol scheme. For example, don't include https://. After you complete this step, you have two domains: org.example.com and id.example.com.
   7. Configure the management hint. The authentication policy requires this configuration.

7. Click Save.

If the SSO extension fails, the authentication flow falls back to the sign-in page. The SSO extension might fail in these situations:

• The SSO extension MDM profile isn't installed.
• Okta hasn't been configured as a Certificate Authority with dynamic SCEP.
• The SSO extension profile in Jamf Pro isn't configured correctly.
• A user tried to access an Okta-protected resource through Chrome (without silent access) or Firefox.
• A user tried to access an Okta-protected resource through Safari from an unmanaged device.
• The extension identifier isn't correct.
• The user is trying to access the resource from an org that isn't configured under Hosts.

Related topics

Configure Okta as a CA with dynamic SCEP challenge for macOS using Jamf Pro

Configure an SSO extension on iOS devices