Configure a seamless SSO Okta FastPass experience on macOS devices
Depending on your configuration, end users will have a seamless or non-seamless Okta FastPass experience:
-
Seamless: End users don’t see additional Okta Verify browser prompts. Okta Verify silently signs in the user or prompts the user for Touch ID when they access an org or application that requires access.
-
Non-seamless (default): End users are required to click an extra browser prompt before they sign in through Okta Verify. For example:
or
You can provide end users on managed devices with a seamless single sign-on (SSO) experience by creating an SSO extension profile that automatically forwards requests from a browser or app to Okta Verify.
Non-Safari browsers, such as Chrome or Firefox, do not require additional configuration to support a seamless SSO Okta FastPass experience on macOS devices that are managed or not managed.
Before you begin
Verify that the following conditions are met:
- The device is managed.
- The device is running macOS Catalina or later.
- The browser is Safari. SSO extension is not supported on Chrome or Firefox.
- You are familiar with these documents:
Start this procedure
-
Create an SSO extension profile in your mobile device management (MDM) software, to optimize the end-user experience on Safari and Native apps.
-
Optional. Configure Okta FastPass, to optimize the passwordless authentication experience for end users on Chrome.
The following table details when an Okta FastPass experience is supported:
Browser or app
Devices that are managed + SSO extension is configured
Devices that are managed + SSO is not configured
Devices that are not managed
Safari
Yes
No
No
Chrome and Firefox
Yes*
Note: Okta FastPass can be triggered silently or it can require the end user to click a browser prompt. To allow end users to prevent the Open Okta Verify prompt, see Let users skip the Open Okta Verify prompt.
Native apps that redirect to the default browser for authentication (for example, Slack, Zoom, and Box).
Yes, depending on the default browser of the device (see the previous table rows).
Native apps that use embedded WebView (for example, Apple WKWebView, or Office 365).
Yes
No
No
* Okta Verify must be running in the background for a seamless end-user experience.
See Create an SSO extension profile in Jamf Pro.
Create an SSO extension profile in Jamf Pro
Okta tested this configuration using Jamf Pro, but other macOS-supported mobile device management (MDM) software should work.
If you're using different MDM software, see Extensible Single Sign-On MDM payload settings for Apple devices for configuration support and use the configuration values that are provided in this procedure.
- In Jamf Pro, go to Computers > Configuration Profiles.
- Click + New.
- Click the Options tab.
- Scroll down, and then click Single Sign-On Extensions.
- Click +Add.
- On the Single Sign-on Extensions page, enter the following:
- Extension Identifier: Enter com.okta.mobile.auth-service-extension.
- Team Identifier: Enter B7F62B65BN.
- Sign-On Type: Select Credential.
- Realm: Enter Okta Device.
- Hosts: Enter your Okta org domain. For example, acme.okta.com.
- org.example.com
- id.example.com
If you implement a custom URL domain in your org, click + Add, and then enter your custom URL domain. Do not include the protocol scheme (for example, don't include https://). When complete, you'll have two domains:
-
Click Save.
If the SSO extension fails, the authentication flow falls back to the sign-in page. The following reasons might cause the SSO extension to fail:
- The SSO extension MDM profile isn't installed
- The SSO extension profile in Jamf Pro isn't configured incorrectly
- An end user tried to access the protected resource through Chrome (without silent access) or Firefox
- An end user tried to access the protected resource through Safari from an unmanaged device
- The Extension Identifier isn't correct
- The org that the end user is trying to access isn't configured under Hosts