Enhancing and Securing Logins
  • 17 Jan 2023
  • 1 Minute to read
  • Dark
    Light
  • PDF

Enhancing and Securing Logins

  • Dark
    Light
  • PDF

Article summary

When end user devices are trusted and managed – whether they are fully-managed or user enrolled – organizations are able to leverage powerful identity and Single Sign On (SSO) capabilites that are built into macOS and iOS/iPadOS.

This framework is known as Extensible Single Sign On (SSO), and it enables identity providers (IdPs) to deliver modern authentication (e.g. SAML/OIDC) login experiences that are:

  • More secure by enabling the use of hardware-backed keys (Secure Enclave) that serve as phishing resistant factors.
  • More user friendly by enabling the use of TouchID or FaceID to login to IdP-controlled apps.
  • Less intrusive to the end user's workday as they switch between apps to perform their job functions.

With extensible SSO, an Identity Provider's endpoint application includes a "Single Sign On Extension", which is invoked when the user is attempting to login to an app protected by that IdP. A mobile configuration profile is configured via MDM that configures and authorizes the IdP's app to perform this function.

You can see Extensible SSO in action with Okta in our Trusted Access Corporate Owned iPhone demo video.

Identity Providers Supporting Extensible SSO

Identity providers have to adopt Extensible Single Sign On in their endpoint app to enable this enhanced experience on Apple devices.

The below vendors are known to support Extensible Single Sign On in production environments:


Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.