Platform SSO (PSSO) Extension (macOS only)

Introduction

The Platform SSO (PSSO) Extension allows administrators to configure system-level Single Sign-On, enabling:

1. User authentication at the macOS platform level.

2. Consistent identity usage across system services and apps.

3. Improved login experience for enterprise-managed Macs.

Please note that the Platform SSO (PSSO) Extension is available only on macOS.

Creating the configuration

1. Provide a name to the Configuration.

2. Remove this configuration when relaxing the policies on the device: When this option is enabled, the configuration will be automatically removed in the following scenarios: when policies are relaxed, or the device is unlocked via the dashboard, and when the device is deleted, all associated configurations and data will be cleared from the device.

Extension Details

1. Extension Identifier: This field specifies the bundle identifier of the app extension that performs Single Sign-On for the configured URLs. It tells macOS which app extension should handle SSO requests.

2. Team Identifier: This field specifies the team identifier of the app extension. It is used along with the extension identifier to uniquely identify the SSO extension.

3. URLs: This field allows you to add an array of URL prefixes where the Platform SSO extension should perform authentication. Things to note:

   1. URLs must begin with http:// or https://

   2. Query parameters are not allowed.

   3. URL fragments are not allowed.

   4. Each URL must be unique across all Platform SSO profiles installed on the device.

   5. Use Add to include multiple URLs.
      

      

4. Screen Lock Behaviour: This setting controls how authentication requests are handled when the screen is locked. Available options shown in the UI are:

   1. Cancel: The system cancels authentication requests when the screen is locked.

   2. Do Not Handle: The authentication request continues without Platform SSO.

5. Denied Bundle Identifiers: This field allows you to specify an array of app bundle identifiers that should not use the SSO provided by this extension.

   1. Apps listed here will bypass Platform SSO.

   2. Use Add to include multiple bundle identifiers.

6. Configure Additional Extension Data: This option allows you to pass a dictionary of arbitrary data to the app extension.

   1. The data is entered in dictionary (<dict>) format, as shown in the UI example.

   2. This data is made available to the SSO extension.

Platform SSO Settings

1. Authentication Method: This setting determines how users authenticate using Platform SSO. Depending on your environment, authentication can be performed using supported methods such as passwords or smart cards. The selected method defines how credentials are validated during login and unlock flows. Based on the selected authentication method, the other options will be available.

   1. Password: When "Password" is selected as the authentication method, you can configure the  FileVault/Login/Unlock policy.
      

      

   2. User Secure Enclave key: When selected, you cannot configure FileVault/Login/Unlock policy.
      

      

   3. Smart card: When selected, you cannot configure FileVault/Login/Unlock policy.
      

      Note:

      Smart Card authentication is supported on macOS 14 and later.

2. Registration Token: The registration token is used by the device to register itself with the identity provider for Platform SSO. When configured, this token enables the device to complete registration automatically, without requiring user interaction during the initial setup or sign-in process.

3. Account Display Name: This setting defines the display name shown for the user account when Platform SSO is in use. This helps users easily recognize their account during sign-in and authorization requests. The configured name appears in:

   1. System notifications

   2. Authentication prompts

   3. FileVault authentication screens

4. FileVault Policy: This policy controls how authentication is handled when unlocking a FileVault-encrypted Mac using Platform SSO on Apple Silicon devices.

   1. Available options are:

      1. Attempt to authenticate with the identity provider during login: The system tries to authenticate using Platform SSO, but may allow access if the identity provider is unavailable.

      2. Require identity provider authentication during login: Authentication through the identity provider is mandatory to unlock FileVault.
         

         Note:

         If this option is selected device must be connected to the Internet during authentication.

   2. Additional options are:

      1. Allow Offline Grace Period: Permits access for a limited time when the device is offline.

      2. Allow Authentication Grace Period: Allows temporary access without re-authenticating immediately.
         

         

5. Login Policy: This setting controls how Platform SSO authentication behaves at the macOS Login Window. These settings help balance security requirements with usability, especially in environments with intermittent network access.

   1. Available options are:

      1. Attempt to authenticate with the identity provider during login.

      2. Require identity provider authentication during login.
         

         Note:

         If this option is selected device must be connected to the Internet during authentication.

   2. Additional options are:

      1. Allow Offline Grace Period

      2. Allow Authentication Grace Period

6. Unlock Policy: This policy applies when a user unlocks the device from the lock screen or screensaver.

   1. Available options are:

      1. Attempt to authenticate with the identity provider during unlock.

      2. Require identity provider authentication during unlock.

   2. Additional options are:

      1. Allow Offline Grace Period

      2. Allow Authentication Grace Period
         

         

7. Existing User Permission: This setting defines the permission level assigned to a user account each time the user authenticates.

   1. Available options are:

      1. Standard: The user is assigned a standard account.

      2. Admin: The user is granted local administrator privileges.

   2. Based on Group Assignment – Permissions are assigned dynamically using group membership. When group-based assignment is selected, permissions can be managed using:

      1. Administrator Groups

      2. Additional Groups

      3. Authorization Groups

8. Enable Authorization Using Identity Provider Accounts: When enabled, identity provider accounts can be used for system authorization prompts, such as actions requiring administrator approval. Authorization is granted based on group membership defined in the configuration.

9. Token to User Mapping: This setting defines how identity provider attributes are mapped to local macOS user properties.

   1. Mappings used are:

      1. When creating new user accounts

      2. When applying authorization rules

   2. Available fields include:

      1. Account Name

      2. Full Name

10. Login Frequency: This setting specifies how often a user must perform a full authentication. The value is defined in hours and determines when the system requires a full login instead of a credential refresh.

11. Allow Device Identifier in Attestation: This information can be used by the identity provider for additional validation or compliance checks. When enabled, the device includes the following identifiers in Platform SSO attestations:

    1. Device UDID

    2. Device serial number

12. Non-Platform SSO Accounts: The configured Users  will not be prompted to authenticate to Platform SSO.

13. Synchronize Profile Picture: When enabled, the system retrieves the user’s profile picture from the SSO extension and applies it to the local macOS user account, where supported. This helps maintain consistency between identity provider profiles and local device accounts.

Platform SSO New User Settings

These settings control how new user accounts are created and managed using Platform SSO.

1. Enable User Creation at Login Window: Allows users to create new accounts directly from the macOS Login Window using supported authentication methods such as passwords or smart cards.

   1. New User Authorization Mode: Defines the permission level assigned to newly created user accounts. Available options are:

      1. Standard: The account is a standard user.

      2. Admin: The system adds the account to the local administrators group.

      3. Based on Group Assignment: The system assigns a group to the account using 'Administrator Groups', 'Additional Groups', or 'Authorization Groups'.

      4. Temporary Session: The system uses a temporary session configuration for newly created accounts at login.

   2. Allow Temporary Session QuickLogin: Enable this setting for shared environments with frequent short sessions. It allows the system to use a faster Authenticated Guest Mode login on Mac. After each session, user data is cleared from specific areas within the home directory. Additionally, once every eight hours, the entire user home directory is wiped following session completion.
      

      

2. Enable Creation of first user at setup: When enabled, Platform SSO is used to create the first user account during macOS Setup Assistant, allowing identity-based onboarding from the start.

   1. Defines which authentication methods are available for newly created users. Available options are:

      1. Password

      2. Smart Card

      3. Access Key: Additional Access Key settings are:

         1. Access Key Reader Group Identifier: This setting specifies which Access Key reader group the system should use. The value entered here must match the reader group configured for the Access Key. By doing so, the system knows which readers are allowed to interact with the Access Key during authentication. This ensures that only Access Keys presented through the intended and approved reader group can be used to sign in or create a new user.

         2. Access Key Terminal Identity UUID: This setting links the Access Key to a specific identity payload configured on the device. You provide the PayloadUUID of an identity payload that should act as the terminal identity for the Access Key. The Access Key must already trust the referenced identity. In simple terms, this setting tells the system which trusted identity the Access Key should work with. The Access Key will only function when it is validated against that trusted identity, helping ensure it is used in the correct authentication context.

         3. Allow Access Key Express Mode: When enabled, Access Key can be used in Express Mode. Express Mode allows the Access Key to be used without requiring additional authentication steps before use. This provides a faster and more seamless sign-in experience, especially in environments where speed and convenience are important. If disabled, the system requires standard authentication checks before allowing the Access Key to be used.
            

            

Platform SSO Group Membership

These settings control group-based permissions and authorization.

1. Admin Groups: Defines groups whose members are granted local administrator privileges.

2. Additional Groups: Defines groups that should be created automatically if they do not already exist. Members of these groups do not receive administrator privileges unless explicitly assigned.

3. Update Authorization Rights Based on Group Membership: Allows authorization rights to be mapped to specific group names. For each mapping:

   1. Define the Authorization Right

   2. Assign the corresponding Group Name

Multiple mappings can be created to support complex authorization requirements.