SSO for Apple iOS using SOTI Identity
Pre-requisites
- Configure SOTI IdP in Global Settings of the SOTI MobiControl web console.
- In SOTI Identity:
- Integrate device users Active Directory (AD).
- Integrate native app server or web app server with SOTI IdP. Refer to SOTI Identity documentation.
- Integrate other IdPs (like Azure or Okta) must integrate with SOTI Identity.
- The managed associated domain must have an IdP URL in the app policy (for
example,
authsrv:identity.soti.net
). - SSO requires iOS 13 or later.
- Requires an iOS Agent and is compatible with agent 13.4.6 or later.
- Requires a SOTI MobiControl login app for shared devices.
Workflow
- See Configuring SSO for iOS with SOTI Identity for an overview of how to configure SSO from within the SOTI MobiControl web console.
- Create an application policy to send managed applications to the device.
- Create a profile with an Extensible SSO payload configured with the following
values
- Set App Extension Bundle Identifier to
net.soti.mobicontrol.sso
. - Set SSO type to Redirect.
- Add
https://identity.soti.net/sso/saml/auth/login
as the URL Prefix. - Enable Extension Data:
- Define the application's bundle identifier to enable SSO on
specific applications. Note: Not adding an application enables SSO for all the applications registered with SOTI Identity.
- Use the AllowedApps_BundleID tag for the allowed applications ID.
- Use the BlockedApps_BundleID tag for the blocked
applications ID.Tip: Review the following as an example of a completed extension data configuration.
<dict> <key>AllowedApps_BundleID</key> <string>com.microsoft.skydrive,com.apple.mobilesafari,com.microsoft.azureauthenticator</string> </dict>
- Define the application's bundle identifier to enable SSO on
specific applications.
- Set App Extension Bundle Identifier to
- Enroll and assign the application policy and Extensible SSO profile to the device.
- Open any of the configured native or web application and try to log in.
- Opening any native or web application does not require a password to be re-entered on log in.
Note: Application logout depends on the application's
behavior.