Enhancing and Securing Logins

When end user devices are trusted and managed – whether they are fully-managed or user enrolled – organizations are able to leverage powerful identity and Single Sign On (SSO) capabilites that are built into macOS and iOS/iPadOS.

This framework is known as Extensible Single Sign On (SSO), and it enables identity providers (IdPs) to deliver modern authentication (e.g. SAML/OIDC) login experiences that are:

• More secure by enabling the use of hardware-backed keys (Secure Enclave) that serve as phishing resistant factors.
• More user friendly by enabling the use of TouchID or FaceID to login to IdP-controlled apps.
• Less intrusive to the end user's workday as they switch between apps to perform their job functions.

With extensible SSO, an Identity Provider's endpoint application includes a "Single Sign On Extension", which is invoked when the user is attempting to login to an app protected by that IdP. A mobile configuration profile is configured via MDM that configures and authorizes the IdP's app to perform this function.

You can see Extensible SSO in action with Okta in our Trusted Access Corporate Owned iPhone demo video.

Identity Providers Supporting Extensible SSO

Identity providers have to adopt Extensible Single Sign On in their endpoint app to enable this enhanced experience on Apple devices.

The below vendors are known to support Extensible Single Sign On in production environments:

• Okta Fastpass (macOS and iOS/iPadOS)
• Microsoft Enterprise SSO plug-in for Apple devices