Kerberos Extensible Single Sign-on (iOS)

Kerberos Extensible Single Sign-on (SSO) allows users to authenticate once and access multiple resources without having to re-enter their credentials.

Kerberos Extensible SSO authentication features include mutual authentication, ticket-based authentication, and encryption of authentication messages. These features help to prevent security threats and protect from credential theft and other vulnerabilities.

Note: Requires iOS 13.0 or later.

Do this when:

Details

Realm

The IP address or hostname of the domain or administrative network partition that shares a common security policy and authentication database.

Add Host Names Select Add to identify each host or domain name the app extension can authenticate through.

Extension Data

Principal Name The principal username. Do not include the realm.
Site Code The URL of the Active Directory site used by the Kerberos extension.
Certificate The Public Key Cryptography for Initial Authentication (PKINIT) certificate for renewing the Kerberos credential.
Allow Automatic Login Turn on to allow automatic logins. When disabled, passwords cannot save to the keychain.
Is Default Realm Sets the realm as the default when there is more than one Kerberos extension configured.
Require User Presence Turn on to require the user to give Touch ID, Face ID, or their passcode to access a keychain entry.
Use Site Auto-Discovery Turn on to allow the Kerberos extension to use LDAP and DNS to determine its AD site name.
Add Preferred KDCs Select Add to identify each Key Distribution Center (KDC) to handle Kerberos traffic. The list order is by preference.
Add Credential Bundle ID ACL

Identify each bundled ID allowed to access the Ticket Granting Ticket (TGT). You may identify them individually or using a CSV file.

Adding individual bundle IDs manually

Select Add to identify each bundled ID.

Adding multiple bundle IDs with a CSV

Select Import to locate and import your CSV file. Add Credential Bundle ID ACL lists the applications from your CSV file.
Note: Each line of the CSV file must be in the format Application Bundle Identifier, Application Name.
Important: Validate that all applications are present. Missing applications may indicate a problem with your CSV file.