---
title: ExtensibleSSO
framework: devicemanagement
role: symbol
role_heading: Object
path: devicemanagement/extensiblesso
---

# ExtensibleSSO

The declaration to configure Extensible Single Sign-On.

## Declaration

```data
object ExtensibleSSO
```

## Properties

DeniedBundleIdentifiers: An array of bundle identifiers of apps that don’t use SSO provided by this extension. ExtensionComposedIdentifier: The identifier of the provider to use for this configuration. Useful for apps that contain more than one DNS proxy extension. In iOS and visionOS, the identifier is a bundle ID, for example, “com.example.app.sso-extension”. In macOS, the identifier is a composed identifier. The format of the composed identifier is “Bundle-ID (Team-ID)”. “Bundle-ID” is the bundle identifier string of the app extension. “Team-ID” is the team identifier from the app extension’s code signature. For example, “com.example.app.sso-extension (ABCD1234)”. ExtensionData: A dictionary of arbitrary data passed through to the app extension. Hosts: An array of host or domain names that apps can authenticate through the app extension. Required for Credential payloads. Ignored for Redirect payloads. The system: Matches host or domain names case-insensitively Requires that all the host and domain names of all installed Extensible SSO payloads are unique note: Host names that begin with a “.” are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match. PlatformSSO: The dictionary to configure Platform SSO. Available: macOS 27+ Realm: The realm name for Credential payloads. Use proper capitalization for this value. Ignored for Redirect payloads. ScreenLockedBehavior: If set to Cancel, the system cancels authentication requests when the screen is locked. If set to DoNotHandle, the request continues without SSO instead. This doesn’t apply to requests where userInterfaceEnabled is false, or for background URLSession requests. Type: The type of SSO. URLs: An array of URL prefixes of identity providers where the app extension performs SSO. Required for Redirect payloads. Ignored for Credential payloads. The URLs need to begin with http:// or https://. The system: Matches scheme and host name case-insensitively Doesn’t allow query parameters and URL fragments Requires that the URLs of all installed Extensible SSO payloads are unique

## Discussion

Discussion Specify com.apple.configuration.extensible-sso as the declaration type. Configuration availability  |   |   |   |   |   |   |   |  Configuration Examples

## Topics

### Objects

- [ExtensibleSSOExtensionDataObject](devicemanagement/extensiblessoextensiondataobject.md)
- [ExtensibleSSOPlatformSSOObject](devicemanagement/extensiblessoplatformssoobject.md)

## See Also

### Configurations

- [AccountCalDAV](devicemanagement/accountcaldav.md)
- [AccountCardDAV](devicemanagement/accountcarddav.md)
- [AccountExchange](devicemanagement/accountexchange.md)
- [AccountGoogle](devicemanagement/accountgoogle.md)
- [AccountLDAP](devicemanagement/accountldap.md)
- [AccountMail](devicemanagement/accountmail.md)
- [AccountSubscribedCalendar](devicemanagement/accountsubscribedcalendar.md)
- [AppManaged](devicemanagement/appmanaged.md)
- [AppSettings](devicemanagement/appsettings.md)
- [AudioAccessorySettings](devicemanagement/audioaccessorysettings.md)
- [ContentCaching](devicemanagement/contentcaching.md)
- [DiskManagementSettings](devicemanagement/diskmanagementsettings.md)
- [ExternalIntelligenceSettings](devicemanagement/externalintelligencesettings.md)
- [IntelligenceSettings](devicemanagement/intelligencesettings.md)
- [KeyboardSettings](devicemanagement/keyboardsettings.md)