Files
Cyrus Daboo 97a11a861f Seed2
2026-06-22 15:55:19 -04:00

571 lines
25 KiB
YAML

title: Extensible SSO
description: The declaration to configure Extensible Single Sign-On.
payload:
declarationtype: com.apple.configuration.extensible-sso
supportedOS:
iOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- user
macOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- user
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
visionOS:
introduced: '27.0'
allowed-enrollments:
- supervised
- device
- user
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: multiple
payloadkeys:
- key: ExtensionComposedIdentifier
title: Extension composed identifier
type: <string>
presence: required
content: |-
The identifier of the provider to use for this configuration. Useful for apps that contain more than one DNS proxy extension.
In iOS and visionOS, the identifier is a bundle ID, for example, "com.example.app.sso-extension".
In macOS, the identifier is a composed identifier. The format of the composed identifier is "Bundle-ID (Team-ID)". "Bundle-ID" is the bundle identifier string of the app extension. "Team-ID" is the team identifier from the app extension's code signature. For example, "com.example.app.sso-extension (ABCD1234)".
- key: Type
title: Type
type: <string>
presence: required
rangelist:
- Credential
- Redirect
content: The type of SSO.
- key: Realm
title: Realm
type: <string>
presence: optional
content: The realm name for `Credential` payloads. Use proper capitalization for
this value. Ignored for `Redirect` payloads.
- key: ExtensionData
title: Extension data
type: <dictionary>
presence: optional
content: A dictionary of arbitrary data passed through to the app extension.
subkeys:
- key: ANY
type: <any>
presence: optional
content: Keys and values to pass to the app extension.
- key: URLs
title: URLs
type: <array>
presence: optional
content: |-
An array of URL prefixes of identity providers where the app extension performs SSO.
Required for `Redirect` payloads. Ignored for `Credential` payloads.
The URLs need to begin with `http://` or `https://`.
The system:
- Matches scheme and host name case-insensitively
- Doesn't allow query parameters and URL fragments
- Requires that the URLs of all installed Extensible SSO payloads are unique
subkeys:
- key: URL
type: <string>
presence: required
content: An http or https URL prefix.
- key: Hosts
title: Hosts
type: <array>
presence: optional
content: |-
An array of host or domain names that apps can authenticate through the app extension.
Required for `Credential` payloads. Ignored for `Redirect` payloads.
The system:
- Matches host or domain names case-insensitively
- Requires that all the host and domain names of all installed Extensible SSO payloads are unique
> Note:
> Host names that begin with a "." are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match.
subkeys:
- key: hostname
type: <string>
presence: required
content: A host or domain name, with or without a leading dot.
- key: DeniedBundleIdentifiers
title: Denied bundle identifiers
type: <array>
presence: optional
content: An array of bundle identifiers of apps that don't use SSO provided by this
extension.
subkeys:
- key: bundleIdentifier
type: <string>
presence: required
content: The bundle identifier of the app.
- key: ScreenLockedBehavior
title: Screen locked behavior
type: <string>
presence: optional
rangelist:
- Cancel
- DoNotHandle
default: Cancel
content: If set to `Cancel`, the system cancels authentication requests when the
screen is locked. If set to `DoNotHandle`, the request continues without SSO instead.
This doesn't apply to requests where `userInterfaceEnabled` is `false`, or for
background `URLSession` requests.
- key: PlatformSSO
title: Platform SSO
supportedOS:
iOS:
introduced: n/a
visionOS:
introduced: n/a
type: <dictionary>
presence: optional
content: The dictionary to configure Platform SSO.
subkeys:
- key: AuthenticationMethod
title: Authentication method
type: <string>
presence: optional
rangelist:
- Password
- UserSecureEnclaveKey
- SmartCard
- OpenID
content: The Platform SSO authentication method to use with the extension. Requires
that the SSO Extension also support the method.
- key: RegistrationToken
title: Registration token
supportedOS:
iOS:
introduced: n/a
visionOS:
introduced: n/a
type: <string>
presence: optional
content: The token this device uses for registration with Platform SSO. Use it
for silent registration with the Identity Provider. Requires that `AuthenticationMethod`
in `PlatformSSO` isn't empty.
- key: UseSharedDeviceKeys
title: Use shared device keys
supportedOS:
macOS:
allowed-scopes:
- system
type: <boolean>
presence: optional
default: false
content: If `true`, the system uses the same signing and encryption keys for all
users.
- key: LoginFrequency
title: Login frequency
type: <integer>
presence: optional
range:
min: 3600
default: 64800
content: The duration, in seconds, until the system requires a full login instead
of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600
(1 hour).
- key: AllowDeviceIdentifiersInAttestation
title: Allow device identifiers in attestation
type: <boolean>
presence: optional
default: false
content: If `true`, the system includes the device UDID and serial number in Platform
SSO attestations.
- key: Account
title: Account
type: <dictionary>
presence: optional
content: Account display and profile settings.
subkeys:
- key: DisplayName
title: Display name
type: <string>
presence: optional
content: The display name for the account in notifications and authentication
requests.
- key: SynchronizeProfilePicture
title: Synchronize profile picture
type: <boolean>
presence: optional
default: false
content: If `true`, the system requests the user's profile picture from the
SSO extension.
- key: UserCreation
title: User creation
type: <dictionary>
presence: optional
content: Settings for creating new users via Platform SSO.
subkeys:
- key: EnableAtLogin
title: Enable at login
type: <boolean>
presence: optional
default: false
content: Enables creating users at the Login Window with an `AuthenticationMethod`
of either `Password` or `SmartCard`. Requires that `UseSharedDeviceKeys` is
`true`.
- key: EnableFirstUserDuringSetup
title: Enable first user during setup
type: <boolean>
presence: optional
default: true
content: If `true`, the device uses Platform SSO to create the first user account
on the Mac during `Setup Assistant`.
- key: EnableRegistrationDuringSetup
title: Enable registration during setup
type: <boolean>
presence: optional
default: false
content: If `true`, the system enables the PlatformSSO registration process
during Setup Assistant on devices running macOS 26 and later. Set this key
to `true` when configuring PlatformSSO before enrollment using the `com.apple.psso.required`
error response.
- key: NewUserAuthenticationMethods
title: New user authentication methods
type: <array>
presence: optional
content: The set of authentication methods to use for newly created accounts
at login or during `Setup Assistant`. The system uses `Password` and `SmartCard`
if this key isn't present.
subkeys:
- key: NewUserAuthenticationMethod
type: <string>
presence: optional
rangelist:
- Password
- SmartCard
- AccessKey
- OpenID
content: |-
An authentication method to use for newly created accounts at login or during `Setup Assistant`. Allowed values:
* `Password`: The account uses a password for authentication.
* `SmartCard`: The account uses a smart card for authentication.
* `AccessKey`: The account uses an access key for authentication.
* `OpenID`: The account uses OpenID for authentication.
- key: NewUserAuthorizationMode
title: New user authorization mode
type: <string>
presence: optional
rangelist:
- Standard
- Admin
- Groups
- Temporary
content: |-
The permission to apply to newly created accounts at login. Allowed values:
* `Standard`: The account is a standard user.
* `Admin`: The system adds the account to the local administrators group.
* `Groups`: The system assigns groups to the account using `Authorization.AdministratorGroups`, `Authorization.AdditionalGroups`, or `Authorization.AuthorizationGroups`.
* `Temporary`: The system uses a temporary session configuration for newly created accounts at login.
- key: TokenToUserMapping
title: Token to user mapping
type: <dictionary>
presence: optional
content: The attribute mapping to use when creating users, or for authorization.
subkeys:
- key: AccountName
title: Account name
type: <string>
presence: optional
content: The claim name to use for the user's account name.
- key: FullName
title: Full name
type: <string>
presence: optional
content: The claim name to use for the user's full name.
- key: TemporarySessionQuickLogin
title: Temporary session quick login
type: <boolean>
presence: optional
default: false
content: If `true`, the system uses a quicker Authenticated Guest Mode login
to Mac behavior. The system erases user data from only select locations in
the user home directory after each session completes. Once every eight hours
the system erases the full user home directory after a session completes.
Turn this on for shared environments that have a high frequency of short sessions.
- key: Authorization
title: Authorization
type: <dictionary>
presence: optional
content: Settings for authorization prompts and group management.
subkeys:
- key: EnableIdentityProviderAccounts
title: Enable identity provider accounts
type: <boolean>
presence: optional
default: false
content: Enables using identity provider accounts at authorization prompts.
Requires that `UseSharedDeviceKeys` is `true`. The system assigns groups using
`AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`.
- key: UserAuthorizationMode
title: User authorization mode
type: <string>
presence: optional
rangelist:
- Standard
- Admin
- Groups
content: |-
The permission to apply to an account each time the user authenticates. Allowed values:
* `Standard`: The account is a standard user.
* `Admin`: The system adds the account to the local administrators group.
* `Groups`: The system assigns group to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`.
- key: AdministratorGroups
title: Administrator groups
type: <array>
presence: optional
content: The list of groups to use for administrator access. The system requests
membership during authentication.
subkeys:
- key: Group
type: <string>
presence: optional
content: The group name.
- key: AdditionalGroups
title: Additional groups
type: <array>
presence: optional
content: The list of created groups that don't have administrator access.
subkeys:
- key: Group
type: <string>
presence: optional
content: The group name.
- key: AuthorizationGroups
title: Authorization groups
type: <dictionary>
presence: optional
content: The pairing of Authorization Rights to group names. When using this,
the system updates the Authorization Right to use the group.
subkeys:
- key: ANY
type: <string>
presence: optional
content: The key is an access right value, the value is the group to be associated
with that access right.
- key: AccessKey
title: Access key
type: <dictionary>
presence: optional
content: Settings for Access Key authentication.
subkeys:
- key: ReaderGroupIdentifier
title: Reader group identifier
type: <data>
presence: optional
content: The reader group identifier for use with the `AccessKey`. The value
needs to match the configured access key. Required if `UserCreation.AuthenticationMethods`
contains `AccessKey`.
- key: TerminalIdentityAssetReference
title: Terminal identity asset reference
type: <string>
assettypes:
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: optional
content: The identifier of an asset declaration that contains the identity to
use as the Terminal identity of the Access Key. The Access Key needs to trust
the identity. Required if `UserCreation.AuthenticationMethods` includes `AccessKey`.
- key: ReaderIssuerCertificateAssetReference
title: Reader issuer certificate asset reference
type: <string>
assettypes:
- com.apple.asset.credential.certificate
presence: optional
content: The identifier of an asset declaration that contains the certificate
for the issuer certificate of the `Terminal` identity of the access key. Other
specifications refer to the key as the "Reader CA Public Key". The key must
be an elliptic curve key. Required if `UserCreation.AuthenticationMethods`
includes `AccessKey`. The issuer of the Terminal identity of the access key
needs to match this certificate, otherwise the device fails the authentication.
- key: AllowExpressMode
title: Allow express mode
type: <boolean>
presence: optional
default: false
content: If `true`, the system uses the access key in express mode, and doesn't
require authentication before use.
- key: Policies
title: Policies
type: <dictionary>
presence: optional
content: Policies for login, unlock, and FileVault behavior.
subkeys:
- key: FileVault
title: FileVault
type: <array>
presence: optional
content: |-
The policy to apply when using Platform SSO at FileVault unlock on a Mac with Apple silicon. Applies when `AuthenticationMethod` is `Password`.
* `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, unlock continues if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication is required, even if taken offline.
* `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the device uses the offline `OfflineGracePeriod` to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed, regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses `AuthenticationGracePeriod` to determine if the user can proceed or not.
* `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access.
* `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies are updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies unregistered account access.
* `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for File Vault unlock.
* `RequireTouchIDOrWatch`: The device requires the use of Touch ID or Apple Watch for File Vault unlock.
* `AllowOpenIDForTouchIDFallback`: The device allows web login as a fallback if touchID fails or isn't available.
subkeys:
- key: policy
type: <string>
presence: required
rangelist:
- AttemptAuthentication
- RequireAuthentication
- AllowOfflineGracePeriod
- AllowAuthenticationGracePeriod
- RequireTouchID
- RequireTouchIDOrWatch
- AllowOpenIDForTouchIDFallback
content: The policy to apply.
- key: Login
title: Login
type: <array>
presence: optional
content: |-
The policy to apply when using Platform SSO at the Login Window. Applies when `AuthenticationMethod` is `Password`.
* `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, login continues if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication to proceed, even if taken offline.
* `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the device uses the offline `OfflineGracePeriod` to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed, regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses the `AuthenticationGracePeriod` to determine if the user can proceed or not.
* `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access. Applies to web login and all offline passwords.
* `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies unregistered account access.
* `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for login.
* `RequireTouchIDOrWatch`: The device requires the use of Touch ID or Apple Watch for login.
* `AllowOpenIDForTouchIDFallback`: The device allows web login as fallback if touchID fails or isn't available.
subkeys:
- key: policy
type: <string>
presence: required
rangelist:
- AttemptAuthentication
- RequireAuthentication
- AllowOfflineGracePeriod
- AllowAuthenticationGracePeriod
- RequireTouchID
- RequireTouchIDOrWatch
- AllowOpenIDForTouchIDFallback
content: The policy to apply.
- key: Unlock
title: Unlock
type: <array>
presence: optional
content: |-
The policy to apply when using Platform SSO at screensaver unlock. Applies when `AuthenticationMethod` is `Password`. later.
* `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication to proceed, even if taken offline.
* `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses `AuthenticationGracePeriod` to determine if the user can proceed or not.
* `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access.
* `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies the unregistered account access.
* `AllowTouchIDOrWatchForUnlock`: The device allows TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when `RequireAuthentication` is enabled.
* `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for unlock.
* `RequireTouchIDOrWatch`: RThe device requires the use of Touch ID or Apple Watch for unlock.
* `AllowOpenIDForTouchIDFallback`: The device allows web login as fallback if touchID fails or isn't available.
subkeys:
- key: policy
type: <string>
presence: required
rangelist:
- AttemptAuthentication
- RequireAuthentication
- AllowOfflineGracePeriod
- AllowAuthenticationGracePeriod
- AllowTouchIDOrWatchForUnlock
- RequireTouchID
- RequireTouchIDOrWatch
- AllowOpenIDForTouchIDFallback
content: The policy to apply.
- key: OfflineGracePeriod
title: Offline grace period
type: <integer>
presence: optional
content: The amount of time after the last successful Platform SSO login for
using a local account password offline. Required when setting `AllowOfflineGracePeriod`.
- key: AuthenticationGracePeriod
title: Authentication grace period
type: <integer>
presence: optional
content: The amount of time after receiving or updating a `Policies.FileVault`,
`Policies.Login`, or `Policies.Unlock` that the system can use unregistered
local accounts. Required when `AllowAuthenticationGracePeriod` is set.
- key: NonPlatformSSOAccounts
title: Non-platform SSO accounts
type: <array>
presence: optional
content: The list of local accounts that aren't subject to the `Policies.FileVault`,
`Policies.Login`, or `Policies.Unlock` policies. The accounts don't receive
a prompt to register for Platform SSO.
subkeys:
- key: username
type: <string>
presence: required
content: A local account username.
- key: WebAuthentication
title: Web authentication
supportedOS:
macOS:
introduced: '27.0'
type: <dictionary>
presence: optional
content: Settings for web authentication behavior.
subkeys:
- key: URLAllowList
title: URL allow list
type: <array>
presence: optional
content: The set of allowed hosts that the system can load in the PSSO web view.
Required if `AuthenticationMethod` is set to `OpenID`, or `UserCreation.AuthenticationMethods`
contains `OpenID`.
subkeys:
- key: Hosts
type: <string>
presence: optional
content: A host or host prefix.
- key: AllowPasswordSync
title: Allow password sync
type: <boolean>
presence: optional
default: false
content: If `true`, the system detects the password during web authentication
and synchronizes it to the local account password for the user.
examples:
- title: Configuration examples
files:
- tab: Credential
description: This configuration sets up a Credential-type SSO extension that handles
authentication for hosts in the example.com domain.
file: examples/declarative/declarations/configurations/extensiblesso/example1.json
- tab: Redirect
description: This configuration sets up a Redirect-type SSO extension that intercepts
authentication requests to specific login URLs.
file: examples/declarative/declarations/configurations/extensiblesso/example2.json