During its 2022 Worldwide Developers Conference (WWDC), Apple announced plans to introduce Platform Single Sign-On (SSO). Many in the ecosystem longed for the day when users could sign on to their device via the organization’s identity provider (IdP) for SSO authentication and automatically log in to every app, website, and service. Starting with macOS 13 Ventura, this dream became a reality: Platform SSO is finally here. We’ll break down what you should know about Platform SSO and Apple’s other authentication services.
What is Platform SSO?
Platform SSO is Apple’s most advanced single sign-on feature to date. Available for macOS 13 and later, it essentially replaces Active Directory binding. Local account credentials synchronize with your IdP so that users need to log in only once. After logging in to their Mac, iPhone, or iPad, they automatically have access to multiple applications, websites, and services. That means fewer passwords for users to forget!
What is SSOe, and how does it relate to Platform SSO?
Single Sign-On Extension (SSOe), also known as Extensible SSO, is Platform SSO’s predecessor. Announced at WWDC 2019, SSOe required users to sign in twice: once to unlock the device and once to use the extension. While it was a move in the right direction, Platform SSO takes it one step further by tying the local account directly to the single sign-on application.
If signing in just once saves each user 10 seconds per day, that adds up to around 40 minutes over the course of the year. So if you have 100 users, you just saved your business over six labor hours per year. And that’s not even counting all the time your IT team will save thanks to fewer support tickets. Efficiency for the win!
What is Enrollment SSO?
Enrollment SSO leverages SSOe and Managed Apple ID to allow users to enroll a device. Powered by the identity service provider, this option simplifies Apple User Enrollment for BYOD devices and streamlines the initiation of remote management. The SSO user signs in with a Managed Apple ID, downloads the IdP app, and logs in with the native app experience (which provisions SSOe on the device). Then they can automatically sign in to all managed apps through SSOe.
How does Platform SSO work?
Platform SSO binds the user’s local account and cloud-based IdP user identity, automatically signing them into business apps when they log in to their device with their IdP login credentials.
To do this securely, Platform SSO registers the device with the Secure Enclave-backed key so that the IdP knows the endpoint. The SSOe configuration profile tells your device that when you try to log in to a service using methods like SAML, OAuth 2.0, or OpenID Connect 2.0, it should send that login request to the device’s SSOe app from your identity provider. The password integrates with SSOe, which refreshes the login token with your IdP whenever you enter your password, providing a form of multifactor authentication (MFA).
How to configure Platform SSO with SimpleMDM
Configuring Platform SSO with SimpleMDM is one of the easiest things you’ll do all week. Just follow these steps:
Configure the SSOe profile in SimpleMDM, setting the authentication method and providing a registration token for Platform SSO.
Assign the profile to your devices.
Check the identity provider vendor's documentation for other configuration requirements and additional details.
Your boss doesn’t need to know how easy it was. Enjoy the free high fives!
Benefits of Platform SSO
When you enable SSO for user authentication, it simplifies multiple aspects of your access management, identity management, and security programs. Basically, it helps MacAdmins live their best lives. We’ll highlight just a few of the potential advantages.
Streamlined user authentication
Users log in just once and have access to the resources they need.
Compatibility with MFA
In conjunction with Platform SSO, you can add Face ID or Touch ID, a hardware key, or even push notifications for some apps.
Superior user experience
With password sync, users only have to remember one password, and they don’t have to reenter it constantly.
Fewer help desk tickets
Platform SSO enforces the password policy, and passwords don’t get out of sync. That means less legwork for your IT team.
Improved access management
Platform SSO simplifies user access control by centralizing the identity management process, allowing secure access with less effort.
Allowing users to access multiple accounts through one set of credentials reduces the likelihood of password fatigue. Users can select strong, secure passwords without insurmountable suffering.
Compatible identity providers
Just one identity service provider has an app that is compatible with Platform SSO: Okta.
While Microsoft Azure Active Directory supports SSOe, it does not officially support Platform SSO at the time of publication. Let’s hope they change that. Be better, Microsoft.
At SimpleMDM, we want to make everything in life quick and easy. That’s why we already support Platform SSO through Okta. We also support SSOe because we’re no chumps. Want to stare slack-jawed at the incomparable convenience? Sign up for a free 30-day trial. Your users will never want to sign into their accounts the old-fashioned way again.