SSO for Apple iOS with SOTI Identity
Pre-requisites
- Configure SOTI IDP in Global Settings of SOTI MobiControl web console.
- SOTI Identity configurations:
- Device users AD integrated in SOTI Identity.
- Native app server or web app's server integrated with SOTI IDP. See SOTI Identity documentation.
- Other IDPs (like Azure or Okta) must integrate with SOTI Identity.
- Managed associated domain must have IDP URL in app policy (for example, "authsrv:identity.soti.net").
- SSO requires iOS 13 or later.
- Requires iOS Agent and is compatible iOS Agent 13.4.6 or later.
- Requires SOTI MobiControl login app for shared devices.
Workflow
- See Configuring SSO for iOS with SOTI Identity for an overview of how to configure SSO from within the SOTI MobiControl web console.
- Create an application policy to send managed applications to the device.
- Create a profile having payloads - Extensible SSO.
- App Extension Bundle Identifier - net.soti.mobicontrol.sso.
- SSO type - Redirect.
- Add URL Prefix - https://identity.soti.net/sso/saml/auth/login.
- Extension Data
- Define application's bundle identifier to enable SSO on specific
applications. Not adding an application enables SSO for all the
applications registered with SOTI Identity.
- Use AllowedApps_BundleID tag for allowed applications.
- Use BlockedApps_BundleID tag for blocked applications ID.
- Example:
<dict> <key>AllowedApps_BundleID</key> <string>com.microsoft.skydrive,com.apple.mobilesafari,com.microsoft.azureauthenticator</string> </dict>
- Define application's bundle identifier to enable SSO on specific
applications. Not adding an application enables SSO for all the
applications registered with SOTI Identity.
- Enroll and assign App policy and Extensible SSO profile to the device.
- Open any of the configured native or web application and try to login.
- Opening any native or web application does not require password to be re-entered on login.
Note: Application logout depends on the behavior of the
application.