Configure an SSO extension on iOS devices
On managed iOS devices, create an SSO extension profile to enable Okta FastPass authentication without sign-in prompts.
The SSO extension forwards requests from a browser or app to Okta Verify so that users aren't prompted to open Okta Verify.
Before you begin
Ensure that your environment meets these conditions:
-
Devices are managed.
-
The device is running a supported operating system and browser. See Supported platforms for Okta Verify.
-
Okta is configured with your MDM software. See Integrate Okta with your MDM software.
Start this task
These instructions are for Workspace ONE. If you're using Microsoft Intune, see Deploy Okta Verify to iOS devices with Microsoft Intune.
-
In Workspace ONE, click .
-
Click ADD, and then select Add Profile.
-
Click Apple iOS.
-
Go to .
-
Click Device Profile.
-
Configure the following settings on the SSO Extension tab:
Setting
Value
Extension Type
Generic
Extension Identifier
com.okta.mobile.auth-service-extension
Team Identifier
Enter the 10-character team identifier of your SSO app extension generated by Apple.
B7F62B65BN
Type
Credential
Realm
Okta Device
Hosts
Enter your Okta org domain without the protocol scheme. For example, enter yourdomain.example.com, not https://yourdomain.example.com
Additional Settings
Certificate: Select None.
Custom XML: Enter the Secret Key that you generated in the Okta Admin Console. See Configure Device Management for mobile devices. Use the following syntax:
Copy<dict>
<key>managementHint</key>
<string>{Your-Okta-Secret-Key}</string>
</dict>For more configuration settings, see Okta Verify configurations for iOS devices.
-
Configure the following settings on the General tab:
Setting
Value
Name
Enter a name to identify your profile.
Deployment
Managed
Assignment Type
Auto
Allow Removal
Always
Smart Groups
Create or select an existing Smart Group applicable to the users you want to target for passwordless authentication:
-
User Group: Create or select one or more user groups.
-
Platform and Operating System: Apple iOS 13.0.0 or later
Exclusions
No
-
-
Save and publish your changes.
SSO extension failure
The SSO extension might fail in these situations:
-
Users try to access an Okta-protected resource from a browser or app that uses WebView.
-
The SSO extension MDM profile isn't properly installed.
User experience
If Okta Verify is installed but isn't managed through your MDM software, users receive an Additional setup required message. Okta then guides the user through the device management setup.
After they complete the steps, users must sign out of their org, and sign in again before they can access apps protected by Okta.