WWDC news: Platform Single Sign-On and the future of user logins

What is the Single Sign-On extension?

Also known as the extensible Single Sign-On Extension or SSOe, the Single Sign-On extension is a configuration profile payload for macOS, iOS and iPadOS introduced by Apple at WWDC 2019. This configuration profile redirects the request to authenticate to a website, app or service that is gated by a cloud Identity Provider (IdP) to a local application instead, as the example workflow below shows.

There are two identity providers currently offering an SSOe companion app, though both are currently in public preview and not intended for use in a production environment.

• Azure
• Okta

The SSOe configuration profile payload tells the Apple device that when a user logs into a service with a SAML, OAuth 2.0 or OpenID Connect 2.0 authentication methods to redirect this request to the SSOe app locally installed on the device. Consider the payload as process requests through a local proxy. For example, if you wish to visit Microsoft’s SSO-enabled website, it launches the Microsoft Authenticator app instead.

Upon launching, the app, it will first request authentication for the user from the IdP, to validate that the requestor is really the user in question. Next, it will obtain an “access token” and a “refresh token” to keep the user’s login alive until the next time the user changes their password. The authenticator app is then responsible for authenticating the user to services, like logging into Salesforce via Safari or accessing your Office 365 email account within the native Microsoft Outlook app.

Note: SSOe configuration profiles can be set up to work either as a redirect or to provision a credential within the SSOe app. Currently, Microsoft Azure uses a redirect payload, while Okta FastPass uses a credential payload. In the latter, the FastPass authenticator app obtains a certificate from the Okta Certification Authority (CA) to authenticate the user. Both are important to note for future deployments as the technology continues being developed.

What is Platform Single Sign-On extension?

The Platform Single Sign-On Extension (PSSOe) builds on the SSOe configuration profile by tying the local user account on a Mac to the Single Sign-On application. In this model, the user is presented with an identity provider login when they arrive at the macOS login screen.

But wait, doesn’t that sound a bit like Jamf Connect? More on that in a moment. Once the user enters their credentials at the Mac login window, the PSSOe app will either update the local account password for the user or use a token stored in the secure element of the Mac to authenticate the user locally — the workflow executed depends on how the PSSOe is written by the developer or how the administrator has configured the deployed option for login handling. Depending on how the PSSOe is written or how the administrator has set up the option for login, the PSSOe app will either update the local account password for the user OR it will use a token stored in the secure element of the Mac to authenticate the user locally.

After the user has successfully logged in, they can start accessing any resources gated by the IdP and the SSOe app will intercept the login and automatically authenticate the user, without additional password prompts. Pretty cool, right?!

What does this announcement mean for Jamf Connect users?

It’s an amazing case of “working better together” since there are no provisions for creating local macOS user accounts with the PSSOe by itself. PSSOe only works when a local user account is created on a Mac. In this case, a user account would need to be created either by running the Setup Assistant when first starting up their Mac for the first time or an administrator would need to go to create a new user account through some other means before the benefits of PSSOe can be realized.

Jamf Connect, on the other hand, can create the first user account on the Mac — or any additional user accounts needed. Furthermore, it can enforce linking the local account to the identity provider credentials and also determine if a user should be made a local admin or a local standard user.

From there, the PSSOe can attach itself to a local user account and magically log users into their organization’s IdP-gated tools and resources.

So, when can I test PSSOe within my organization?

Sadly, it’s going to be a while. As announced in the WWDC 2022 session, “What’s new in managing Apple devices”, PSSOe will not be released with the initial release of macOS Ventura. Support for PSSOe will be in preview mode for developers and identity providers until later finalized and to be made available at a date to be announced in the future.

PSSOe is going to depend on several factors, with a significant one being the “redirect” payload mentioned earlier, as the PSSOe configuration profile payload requires the use of the “redirect” payload and not the “credential” payload.

After over three years of development work, currently, only Microsoft Azure supports redirect SSOe via an application available for public preview. Okta users will need to wait for their tenant to upgrade to Okta Identity Engine and some changes to Okta FastPass before it can support PSSOe.

And while administrators are no doubt eager to try it out, implementing this new technology could take some time to integrate completely with your existing workflows, so why not take advantage of the time to plan accordingly to ensure a successful rollout?

For administrators thinking about the future, here are some steps you can take now to best position yourself for success:

• Talk to your IdP. Support for PSSOe depends on their support of the workflow. If you absolutely need this functionality and one IdP will have it, how much work will be required of your organization to switch identity providers?
• Start testing macOS Ventura now. The PSSOe functionality will not be backward compatible with earlier versions of macOS. You’ll need to update your Mac fleet to the latest operating system. Also, web-based apps will need to be tested with Safari, as SSOe is confirmed to work only with native applications and websites utilizing Safari, and gated with SAML, OAuth 2.0 or OpenID Connect 2.0 authentication.
• Determine realistic timeframes for deploying the technology. Apple announced the SSOe framework in 2019. They announced the PSSOe framework in June of 2022. As of this writing, no IdP has released production software supporting either iteration since being initially announced by Apple.

What can I do with Jamf Connect right now?

Jamf Connect is the portion of the solution that you can deploy right now, knowing that it supports integration with SSOe, to augment the user experience when it’s made available. With Jamf Connect:

• Users log onto their Mac with their common identity provider credentials. This gets users accustomed to using the IdP login when accessing organizational resources.
• User account permissions are secured by the IdP. This means that you can manage who gets assigned admin-level privileges from one centralized place. Additionally, this adheres to the best security principle of only creating an administrator account on a Mac until you absolutely need it.
• You can customize the onboarding experience. Jamf Connect helps IT streamline onboarding for the end-user to get them working productively from the moment they first power on their device.
• If your IdP supports it, try out the previews of the existing SSOe apps with an account created by Jamf Connect. The experience of accessing organizational resources so simply and easily is a truly transformative experience.
• Review the implications of SSOe/PSSOe with your company’s Security team. Concerns may exist surrounding the new technology’s efficacy, prompting them to favor a more mature security stack, such as Jamf Protect and Jamf Private Access.

The combination of Jamf’s integrated solutions, including built-in Zero Trust Network Access (ZTNA), leverages your IdP to upgrade organizational security by:

• Frequently checking device health
• Assessing app vulnerability status
• Securing network communications
• Mitigating risky user behaviors
• Establishing microtunnels to securely access resources
• Denying access to devices/users found to be compromised
• Maintain optimal productivity by blocking access to only affected resources
• Automatically execute workflows to remediate devices