Configure an SSO extension on managed macOS devices

On managed devices, the most secure and seamless way to authenticate on Safari and in-app browsers is with Apple's SSO extension. The SSO extension hides the Open Okta Verify browser prompt and introduces phishing resistance properties to the authentication flow.

SSO extension isn't supported on Chrome or Firefox. These browsers communicate with Okta Verify using a local web server. They don't require an SSO extension to hide the Open Okta Verify prompt or to enable phishing resistance.

Before you begin

Verify that the following conditions are met:

Create an SSO extension profile in Jamf Pro

If you're using different MDM software, see Extensible Single Sign-On MDM payload settings for Apple devices. Use the configuration values that are provided in this procedure.

  1. In Jamf Pro, go to ComputersConfiguration Profiles.
  2. Click + New.
  3. Click the Options tab.
  4. Scroll down, and then click Single Sign-On Extensions.
  5. Click +Add.
  6. On the Single Sign-on Extensions page, configure the following fields:
    1. Extension Identifier: Enter com.okta.mobile.auth-service-extension.
    2. Team Identifier: Enter B7F62B65BN.
    3. Sign-On Type: Select Credential.
    4. Realm: Enter Okta Device.
    5. Hosts: Enter your Okta org domain. For example, acme.okta.com.
    6. If you implement a custom URL domain in your org, click + Add, and then enter your custom URL domain. Don't include https:// or any other protocol scheme. After you complete this step, you have two domains: acme.okta.com and id.acmecorp.biz.
  7. Click Save.

If the SSO extension fails, the authentication flow falls back to the sign-in page. The SSO extension might fail in these situations:

  • The SSO extension MDM profile isn't installed.
  • Okta hasn't been configured as a Certificate Authority with dynamic SCEP.
  • The SSO extension profile in Jamf Pro isn't configured correctly.
  • A user tried to access an Okta-protected resource through Chrome (without silent access) or Firefox.
  • A user tried to access an Okta-protected resource through Safari or a native app webview from an unmanaged device.
  • The extension identifier isn't correct.
  • The user is trying to access the resource from an org that isn't configured under Hosts.

Related topics

Configure Okta as a CA with dynamic SCEP challenge for macOS with Jamf Pro

Configure an SSO extension on iOS devices