---
title: ExtensibleSingleSignOn
framework: devicemanagement
role: symbol
role_heading: Device Management Profile
path: devicemanagement/extensiblesinglesignon
---

# ExtensibleSingleSignOn

The payload that configures an app extension that performs single sign-on (SSO).

## Declaration

```data
object ExtensibleSingleSignOn
```

## Properties

AuthenticationMethod: The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method. Available: macOS 13+ Deprecated: macOS 14+ DeniedBundleIdentifiers: An array of bundle identifiers of apps that don’t use SSO provided by this extension. Available: iOS 15+ | iPadOS 15+ | macOS 12+ | visionOS 1.1+ ExtensionData: A dictionary of arbitrary data passed through to the app extension. ExtensionIdentifier: The bundle identifier of the app extension that performs SSO for the specified URLs. Hosts: An array of host or domain names that apps can authenticate through the app extension. Required for Credential payloads. Ignored for Redirect payloads. The system: Matches host or domain names case-insensitively Requires that all the host and domain names of all installed Extensible SSO payloads are unique note: Host names that begin with a “.” are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match. PlatformSSO: The dictionary to configure Platform SSO. Requires Type to be set to Redirect. Available: macOS 14+ Realm: The realm name for Credential payloads. Use proper capitalization for this value. Ignored for Redirect payloads. RegistrationToken: The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that AuthenticationMethod in PlatformSSO isn’t empty. Available: macOS 13+ ScreenLockedBehavior: If set to Cancel, the system cancels authentication requests when the screen is locked. If set to DoNotHandle, the request continues without SSO instead. This doesn’t apply to requests where userInterfaceEnabled is false, or for background URLSession requests. Available: iOS 15+ | iPadOS 15+ | macOS 12+ | visionOS 1.1+ TeamIdentifier: The team identifier of the app extension. This key is required on macOS and ignored elsewhere. Available: macOS 10.15+ Type: The type of SSO. URLs: An array of URL prefixes of identity providers where the app extension performs SSO. Required for Redirect payloads. Ignored for Credential payloads. The URLs need to begin with http:// or https://. The system: Matches scheme and host name case-insensitively Doesn’t allow query parameters and URL fragments Requires that the URLs of all installed Extensible SSO payloads are unique

## Mentioned in

Implementing Platform SSO during device enrollment Implementing Platform SSO for unattended device enrollment

## Discussion

Discussion Specify com.apple.extensiblesso as the payload type. The system supports user channel installation in macOS 11 and later. Profile availability  |   |   |   |   |   |   |   |  Profile example <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>     <key>PayloadContent</key>     <array>         <dict>             <key>ExtensionData</key>             <dict>                 <key>useSiteAutoDiscovery</key>                 <true/>             </dict>             <key>ExtensionIdentifier</key>             <string>com.example.com</string>             <key>TeamIdentifier</key>             <string>RandomTeamID</string>             <key>Hosts</key>             <array>                 <string>.com.example.com</string>             </array>             <key>Realm</key>             <string>COM.URL.COM</string>             <key>Type</key>             <string>Credential</string>             <key>PayloadIdentifier</key>             <string>com.example.myessopayload</string>             <key>PayloadType</key>             <string>com.apple.extensiblesso</string>             <key>PayloadUUID</key>             <string>dbed949d-39a2-440d-a84b-e0c825cdcb2e</string>             <key>PayloadVersion</key>             <integer>1</integer>         </dict>     </array>     <key>PayloadDisplayName</key>     <string>Extensible SSO</string>     <key>PayloadIdentifier</key>     <string>com.example.myprofile</string>     <key>PayloadType</key>     <string>Configuration</string>     <key>PayloadUUID</key>     <string>da3bbbec-a753-4aa7-aeae-a74b7a65c0b5</string>     <key>PayloadVersion</key>     <integer>1</integer> </dict> </plist>

## Topics

### Objects

- [ExtensibleSingleSignOn.ExtensionData](devicemanagement/extensiblesinglesignon/extensiondata-data.dictionary.md)
- [ExtensibleSingleSignOn.PlatformSSO](devicemanagement/extensiblesinglesignon/platformsso-data.dictionary.md)

## See Also

### Authentication

- [DirectoryService](devicemanagement/directoryservice.md)
- [ExtensibleSingleSignOnKerberos](devicemanagement/extensiblesinglesignonkerberos.md)
- [Identification](devicemanagement/identification.md)
- [IdentityPreference](devicemanagement/identitypreference.md)
- [SingleSignOn](devicemanagement/singlesignon.md)