Extensible Single Sign-On

Administrators can use the Extensible Single Sign-On settings to enable single sign-on for native apps and websites on managed iOS devices.

Identity providers, such as IBM Security Verify, can use this configuration to implement seamless authentication when users sign in to native apps and websites. Users authenticate once and then automatically gain access to subsequent native apps and websites.

Extensible Single Sign-On settings

The following table describes the settings that you can use to configure the app extensions for single sign-on.
Policy setting Description Supported devices
Configure for Type Select one of the following sign-on types.
  • Credential
  • Kerberos
  • Redirect
  • Verify Conditional
  

Credential settings

The following table describes the Credential settings.
Policy setting Description Supported devices
Extension Identifier The bundle identifier of the app extension that performs SSO for the specified URLs.  
Realm The realm name for the Credential payloads.
Note: This value is case-sensitive.
  
Hosts The hostnames or domain names that apps can authenticate through the app extension.
Note:
  • The host or domain name matching are not case-sensitive.
  • All the host and domain names of all the installed extensible SSO payloads must be unique.
  • The host names that begin with a “.” are wildcard suffixes and match all subdomains. Otherwise, the host must be an exact match.
  
Denied Bundle Identifiers The bundle identifiers of the apps that do not use SSO provided by this extension. iOS 15 and later
Screen Locked Behavior If this setting is set to Cancel, the system cancels authentication requests when the screen is locked.

If set to DoNotHandle, the request continues without SSO instead.

Note: This setting does not apply to requests where userInterfaceEnabled is set to false or to background NSURLSession requests.
 iOS 15 and later
Extension Data Data that is passed through the app extension in the form of key-value pairs. For example, key1=value1; key2=value2.  

Kerberos settings

The following table describes policy settings for configuring app extension that performs single sign-on (SSO) with the Kerberos extension.
Policy setting Description Supported devices
Hosts The host or domain names for which the app extension performs SSO.
Note:
  • The host/domain names of all installed Extensible SSO profiles must be unique.
  • The host or domain names are matched case-insensitively.
  • Hosts that begin with a “.” are wildcard suffixes and will match all subdomains, otherwise the host must be an exact match.
 User Enrolled
Realm The full Kerberos realm where the user’s account is located.  
Disable automatic login If this setting is set to true, passwords are not allowed to be saved to the keychain.  
Identity Certificate The PayloadUUID of a PKINIT certificate.

Prerequisite: User certificate templates must be configured on Cloud Extender.

Allows certificate-based authentication for the Extensible Single Sign-On Kerberos. To perform certificate-based authentication, you must select a user-level certificate template. If you do not select a certificate, MaaS360 uses credential-based authentication wherein the users are prompted to provide the username and password of the user.

  
Credential Bundle ID ACL A list of bundle IDs that are allowed to access the ticket-granting ticket (TGT).  
Help Text for User The text to be displayed to the user at the Kerberos login window. It can be used to display help information or disclaimer text. iOS 15 and later
Include Managed Apps Bundle ID ACL If this setting is set to true, the Kerberos extension allows only managed apps to access and use the credential. This option is used in addition to the Credential Bundle. iOS 14 and later
Is Default Realm Indicates that this realm is the default realm if there is more than one Kerberos extension configuration.  
Principle Name The principal (also known as username) to use. You do not need to include the realm.  
Preferred KDCs The ordered list of perferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers are not discoverable through DNS. If the servers are specified, then they are used for both connectivity checks and attempted first for Kerberos traffic. If the servers do not respond, then the device falls back to DNS discovery. Each entry is formatted the same as it would be in a krb5.conf file. Examples of entries are as follows.
  • adserver1.example.com
  • tcp/adserver1.example.com:88
  • kkdcp://kerberosproxy.example.com:443/kkdcp
  
Is User Authentication Required If this setting is set to true, it requires the user to provide Touch ID, Face ID, or their passcode to access the keychain entry.  
Site Code The name of the Active Directory site the Kerberos extension should use.  
Disable Auto Discovery If this setting is set to true, the Kerberos extension doesn't automatically use LDAP and DNS to determine its Active Directory (AD) site name.  

Redirect settings

The following table describes the Redirect settings.
Policy setting Description Supported devices
Extension Identifier The bundle identifier of the app extension that performs SSO for the specified URLs.  
URLs The URL prefixes of identity providers where the app extension performs SSO.
Note:
  • The URLs must begin with http:// or https://.
  • The scheme and hostname matching are not case-sensitive.
  • Query parameters and URL fragments are not allowed.
  • The URLs for installed extensible SSO payloads must be unique.
  
Denied Bundle Identifier The bundle identifiers of the apps that do not use SSO provided by this extension. iOS 15 and later
Screen Locked Behavior If this setting is set to Cancel, the system cancels authentication requests when the screen is locked.

If set to DoNotHandle, the request continues without SSO instead.

Note: This setting does not apply to requests where userInterfaceEnabled is set to false or to background NSURLSession requests.
 iOS 15 and later
Extension Data Data that is passed through the app extension in the form of key-value pairs. For example, key1=value1; key2=value2.  

Extensible SSO Conditional Access

The Extensible SSO Conditional Access settings use the IBM Security Verify service to authenticate and grant access to apps on managed devices. Enable IBM Security Verify service to configure Verify Conditional Extensible SSO type.

The following table describes the Extensible SSO Conditional Access settings.
Policy setting Description Supported devices
Allowlist Safari This setting allows admins to enable SSO for the Safari browser. User Enrolled

iOS 13 and later
Allowlist Native Mail This setting allows admins to enable SSO for the Native Mail. User Enrolled

iOS 13 and later
Allowlist MaaS360 Browser This setting allows admins to enable SSO for the MaaS360® Browser. This setting is available only when MaaS360 Browser is configured. User Enrolled

iOS 13 and later
Name of the Applications that SSO should apply to The name of the applications that the SSO must apply to. User Enrolled