Platform Single Sign-On and the future of user logins

What is the Single Sign-On extension?

Also known as the extensible Single Sign-On or SSOe, the single sign-on extension is a configuration profile payload for macOS, iOS and iPadOS introduced by Apple at WWDC 2019. This configuration profile redirects the request to authenticate to a website, app or service that is gated by a cloud Identity Provider (IdP).

The SSOe configuration profile payload tells the Apple device that when a user logs into a service with a SAML, OAuth 2.0 or OpenID Connect 2.0 authentication methods to redirect this request to the SSOe app locally installed on the device. Consider the payload as process requests through a local proxy. For example, if you wish to visit Microsoft’s SSO-enabled website, it launches the Microsoft Authenticator app instead.

Upon launching, the app, it will first request authentication for the user from the IdP, to validate that the requestor is really the user in question. Next, it will obtain an “access token” and a “refresh token” to keep the user’s login alive until the next time the user changes their password. The authenticator app is then responsible for authenticating the user to services, like logging into Salesforce via Safari or accessing your Office 365 email account within the native Microsoft Outlook app.

Note: SSOe configuration profiles can be set up to work either as a redirect or to provision a credential within the SSOe app. Currently, Microsoft Entra ID uses a redirect payload, while Okta FastPass uses a credential payload. In the latter, the FastPass authenticator app obtains a certificate from the Okta Certification Authority (CA) to authenticate the user. Both are important to note for future deployments as the technology continues being developed.

What is Platform Single Sign-on (PSSO)?

Platform SSO builds on the SSOe configuration profile by tying the local user account on a Mac to the Single Sign-On application. In this model, the user is presented with an identity provider login when they arrive at the macOS login screen.

But wait, doesn’t that sound a bit like Jamf Connect? More on that in a moment. Once the user enters their credentials at the Mac login window, the PSSO will either update the local account password for the user or use a token stored in the secure element of the Mac to authenticate the user locally — the workflow executed depends on how the PSSO extension is written by the developer or how the administrator has configured the deployed option for login handling. Depending on how the PSSO extension is written or how the administrator has set up the option for login, the PSSO will either update the local account password for the user OR it will use a token stored in the secure element of the Mac to authenticate the user locally.

After the user has successfully logged in, they can start accessing any resources gated by the IdP and the SSOe app will intercept the login and automatically authenticate the user, without additional password prompts. Pretty cool, right?!

So, how can I get started with PSSO at my organization?

Jamf Pro was early to ship support for the creation and management of PSSO profiles for increased efficiency, user productivity, and security. But to make use of PSSO, customers depend on their identity provider to provide a single sign-on extension host app. So while Jamf Pro supported PSSO, customers could only take advantage of this functionality once their identity provider also offered support. Jamf teamed up with Okta to update the Okta Verify app for Mac so that Okta and Jamf Pro customers can use the combination of platforms and enjoy the benefits of single sign-on for their Mac. This will make Jamf and Okta customers the first to make use this new capability that was originally showcased by Apple.

What does this mean for Jamf Connect users?

It’s an amazing case of “working better together” since there are no provisions for creating local macOS user accounts with the PSSOe by itself. PSSOe only works when a local user account is created on a Mac. In this case, a user account would need to be created either by running the Setup Assistant when first starting up their Mac for the first time or an administrator would need to go to create a new user account through some other means before the benefits of PSSOe can be realized.

Jamf Connect, on the other hand, can create the first user account on the Mac — or any additional user accounts needed. Furthermore, it can enforce linking the local account to the identity provider credentials and also determine if a user should be made a local admin or a local standard user.

From there, the PSSOe can attach itself to a local user account and magically log users into their organization’s IdP-gated tools and resources.

What if my organization doesn’t use Okta?

Jamf Connect is the portion of the solution that you can deploy right now, knowing that it supports integration with SSOe, to augment the user experience when it’s made available. With Jamf Connect:

• Users log onto their Mac with their common identity provider credentials. This gets users accustomed to using the IdP login when accessing organizational resources.
• User account permissions are secured by the IdP. This means that you can manage who gets assigned admin-level privileges from one centralized place. Additionally, this adheres to the best security principle of only creating an administrator account on a Mac until you absolutely need it.
• You can customize the onboarding experience. Jamf Connect helps IT streamline onboarding for the end-user to get them working productively from the moment they first power on their device.
• If your IdP supports it, try out the previews of the existing SSOe apps with an account created by Jamf Connect. The experience of accessing organizational resources so simply and easily is a truly transformative experience.
• Review the implications of SSOe and PSSO with your company’s Security team. Concerns may exist surrounding the new technology’s efficacy, prompting them to favor a more mature security stack, like with Jamf Protect.

Additional security with Zero Trust Network Access (ZTNA)

The combination of Jamf’s integrated solutions, including built-in Zero Trust Network Access (ZTNA), leverages your IdP to upgrade organizational security by:

• Frequently checking device health
• Assessing app vulnerability status
• Securing network communications
• Mitigating risky user behaviors
• Establishing microtunnels to securely access resources
• Denying access to devices/users found to be compromised
• Maintain optimal productivity by blocking access to only affected resources
• Automatically execute workflows to remediate devices