Contents

ExtensibleSingleSignOn

The payload that configures an app extension that performs single sign-on (SSO).

Declaration

object ExtensibleSingleSignOn

Properties

NameTypeDescription
AuthenticationMethodstring

The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method. Available in macOS 13 and later, and deprecated in macOS 14.

DeniedBundleIdentifiers[string]

An array of bundle identifiers of apps that don’t use SSO provided by this extension. Available in iOS 15 and later, and macOS 12 and later.

ExtensionDataExtensibleSingleSignOn.ExtensionData

A dictionary of arbitrary data passed through to the app extension.

ExtensionIdentifier Requiredstring

The bundle identifier of the app extension that performs SSO for the specified URLs.

Hosts[string]

An array of host or domain names that apps can authenticate through the app extension.

Required for Credential payloads. Ignored for Redirect payloads.

The system:

  • Matches host or domain names case-insensitively

  • Requires that all the host and domain names of all installed Extensible SSO payloads are unique

PlatformSSOExtensibleSingleSignOn.PlatformSSO

The dictionary to configure Platform SSO. Requires Type to be set to Redirect.

Realmstring

The realm name for Credential payloads. Use proper capitalization for this value. Ignored for Redirect payloads.

RegistrationTokenstring

The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that AuthenticationMethod in PlatformSSO isn’t empty. Available in macOS 13 and later.

ScreenLockedBehaviorstring

If set to Cancel, the system cancels authentication requests when the screen is locked. If set to DoNotHandle, the request continues without SSO instead. This doesn’t apply to requests where userInterfaceEnabled is false, or for background URLSession requests. Available in iOS 15 and later, and macOS 12 and later.

TeamIdentifierstring

The team identifier of the app extension. This key is required on macOS and ignored elsewhere.

Type Requiredstring

The type of SSO.

URLs[string]

An array of URL prefixes of identity providers where the app extension performs SSO.

Required for Redirect payloads. Ignored for Credential payloads.

The URLs need to begin with http:// or https://.

The system:

  • Matches scheme and host name case-insensitively

  • Doesn’t allow query parameters and URL fragments

  • Requires that the URLs of all installed Extensible SSO payloads are unique

Mentioned in

Discussion

Specify com.apple.extensiblesso as the payload type.

The system supports user channel installation in macOS 11 and later.

Profile availability

Device channel

iOS, macOS, visionOS

User channel

macOS, Shared iPad

Allow manual install

NA

Requires supervision

NA

Requires user-approved MDM

macOS

Allowed in user enrollment

iOS, macOS, visionOS

Allow multiple payloads

iOS, macOS, Shared iPad, visionOS

Profile example

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>ExtensionData</key>
            <dict>
                <key>useSiteAutoDiscovery</key>
                <true/>
            </dict>
            <key>ExtensionIdentifier</key>
            <string>com.example.com</string>
            <key>TeamIdentifier</key>
            <string>RandomTeamID</string>
            <key>Hosts</key>
            <array>
                <string>.com.example.com</string>
            </array>
            <key>Realm</key>
            <string>COM.URL.COM</string>
            <key>Type</key>
            <string>Credential</string>
            <key>PayloadIdentifier</key>
            <string>com.example.myessopayload</string>
            <key>PayloadType</key>
            <string>com.apple.extensiblesso</string>
            <key>PayloadUUID</key>
            <string>dbed949d-39a2-440d-a84b-e0c825cdcb2e</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Extensible SSO</string>
    <key>PayloadIdentifier</key>
    <string>com.example.myprofile</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>da3bbbec-a753-4aa7-aeae-a74b7a65c0b5</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

Topics

Objects

See Also

Authentication