MENU
    Microsoft’s Platform SSO integration with Scalefusion
    • 06 Sep 2024
    • 5 Minutes to read

    Microsoft’s Platform SSO integration with Scalefusion


    Article summary

    Platform Single Sign-On (SSO) enables users to authenticate once and access multiple applications without re-entering their credentials. This guide outlines the process to deploy a configuration profile for enabling Platform SSO on macOS. It provides a step-by-step walkthrough to configure Microsoft’s Platform SSO for macOS devices using a plist (property list) payload.

    Prerequisites

    Before deploying the configuration, ensure the following prerequisites are met:

    1. Operating System: Devices must be running macOS 13.0 or newer.

    2. Intune Company Portal: Microsoft Intune Company Portal app version 5.2404.0 or newer is required. This version includes Platform SSO.

    3. Supported Web Browsers:

      1. Microsoft Edge

      2. Google Chrome with the Microsoft Single Sign On extension. You can deploy this extension using Chrome Enterprise policy - ExtensionInstallForcelist (opens Google’s web site) in the settings catalog.

      3. Safari

    Note:

    For instructions on how to install Intune Company Portal app on the Mac device(s) please refer to our guide here.

    Steps to upload plist

    1. Copy the contents directly from below and add it in Custom Settings in the Device Profile or click here to download the file and import it in the Device Profile.

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
    "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>AuthenticationMethod</key>
                <string>Password</string>
                <key>ExtensionIdentifier</key>
                <string>com.microsoft.CompanyPortalMac.ssoextension</string>
                <key>PayloadDisplayName</key>
                <string>Single Sign-On Extensions #1</string>
                <key>PayloadIdentifier</key>
                <string>com.apple.extensiblesso.DEDC838C-CF1D-4358-8BC7-3A9ECE796E65</string>
                <key>PayloadType</key>
                <string>com.apple.extensiblesso</string>
                <key>PayloadUUID</key>
                <string>A791160E-ED7D-4F35-93E9-297001C444AB</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PlatformSSO</key>
                <dict>
                    <key>AuthenticationMethod</key>
                    <string>Password</string>
                    <key>UseSharedDeviceKeys</key>
                    <true/>
                    <key>AccountDisplayName</key>
                    <string>OrgName</string>
                    <key>EnableCreateUserAtLogin</key>
                    <true/>
                    <key>EnableAuthorization</key>
                    <true/>
                    <key>TokenToUserMapping</key>
                    <dict>
                        <key>AccountName</key>
                        <string>preferred_username</string>
                        <key>FullName</key>
                        <string>name</string>
                    </dict>
                    <key>LoginFrequency</key>
                    <integer>64800</integer>
    <key>NewUserAuthorizationMode</key>
                    <string>Standard</string>
                    <key>UserAuthorizationMode</key>
                    <string>Standard</string>
                </dict>
                <key>RegistrationToken</key>
                <string></string>
                <key>ScreenLockedBehavior</key>
                <string>DoNotHandle</string>
                <key>TeamIdentifier</key>
                <string>UBF8T346G9</string>
                <key>Type</key>
                <string>Redirect</string>
                <key>URLs</key>
                <array>
                    <string>https://login.microsoftonline.com</string>
                    <string>https://login.microsoft.com</string>
                    <string>https://sts.windows.net</string>
                    <string>https://login.partner.microsoftonline.cn</string>
                    <string>https://login.chinacloudapi.cn</string>
                    <string>https://login.microsoftonline.us</string>
                    <string>https://login-us.microsoftonline.com</string>
                </array>
            </dict>
        </array>
        <key>PayloadDescription</key>
        <string>Configures Platform SSO</string>
        <key>PayloadDisplayName</key>
        <string>MS-PlatformSSO</string>
        <key>PayloadIdentifier</key>
        <string>com.promobitech.scalefusion.2463332C-3D3F-45BB-BCE7-529D8EB2EE02</string>
        <key>PayloadOrganization</key>
        <string>Scalefusion</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>5944623F-1018-4D6E-A639-8DF81A26A889</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>
    </plist>
    XML

    Key Elements of the Configuration

    Platform SSO Configuration

    1. AuthenticationMethod: This is available for macOS 14+ devices. There are three possible values: Password, UserSecureEnclave and SmartCard. Set the value to “Password” if you want to keep the remote password in sync with the local password.

    2. UseSharedDeviceKeys: Indicates whether to use shared device keys, set to true.

    3. AccountDisplayName: The display name for the account, set to OrgName. Set to your org name of your choice. This will be displayed in Alerts.

    4. EnableCreateUserAtLogin: Indicates whether to enable user creation at login, set to true. This creates a new user account if a local account with the same name is not found.

    5. EnableAuthorization: Indicates whether authorization is enabled, set to true.

    6. TokenToUserMapping: Defines the token to user mapping settings:

      1. AccountName: Maps to preferred_username.

      2. FullName: Maps to name.

    7. LoginFrequency: Specifies the login frequency in seconds, set to 64800.

    8. NewUserAuthorizationMode: Specifies the authorization mode for new users, set to Standard.

    9. UserAuthorizationMode: Specifies the authorization mode for users, set to Standard. This will convert existing account types. For example, if it is an admin account and this value is set to Standard, then the user account will be converted to a standard account.

    Additional Configuration

    1. AuthenticationMethod: This is applicable only for macOS 13 devices. There are two possible values: Password and UserSecureEnclave. Set the value to “Password” if you want to keep the remote password in sync with the local password.

    2. ExtensionIdentifier: The unique identifier for the SSO extension, set to com.microsoft.CompanyPortalMac.ssoextension.

    3. RegistrationToken: Reserved for registration token, currently empty.

    4. ScreenLockedBehavior: Specifies the behavior when the screen is locked, set to DoNotHandle.

    5. TeamIdentifier: The team identifier for the organization, set to UBF8T346G9.

    6. Type: The type of SSO, set to Redirect.

    7. URLs: Lists the URLs for the SSO service.

      1. https://login.microsoftonline.com

      2. https://login.microsoft.com

      3. https://sts.windows.net

      4. https://login.partner.microsoftonline.cn

      5. https://login.chinacloudapi.cn

      6. https://login.microsoftonline.us

      7. https://login-us.microsoftonline.com

    By following these steps, you will enable Microsoft’s Platform SSO on macOS devices using Scalefusion, allowing for a seamless and secure authentication experience for users.

    Follow our guide on how to add the Custom Payload in the Device Profile & deploy it to devices.

    Note:

    1. The Payload and its contents are sourced from various, albeit authenticated, Apple Developer communities and forums.

    2. Please validate them on a test machine before deploying them on all your managed devices.

    3. Scalefusion has tested these Payloads. However, Scalefusion will not be responsible for any loss of data or system malfunction that may arise due to the incorrect usage of these payloads.


    Was this article helpful?