SSO for Apple iOS using SOTI Identity

Pre-requisites

  • Configure SOTI IdP in Global Settings of the SOTI MobiControl web console.
  • In SOTI Identity:
    • Integrate device users Active Directory (AD).
    • Integrate native app server or web app server with SOTI IdP. Refer to SOTI Identity documentation.
    • Integrate other IdPs (like Azure or Okta) must integrate with SOTI Identity.
  • The managed associated domain must have an IdP URL in the app policy (for example, authsrv:identity.soti.net).
  • SSO requires iOS 13 or later.
  • Requires an iOS Agent and is compatible with agent 13.4.6 or later.
  • Requires a SOTI MobiControl login app for shared devices.

Workflow

  1. See Configuring SSO for iOS with SOTI Identity for an overview of how to configure SSO from within the SOTI MobiControl web console.
  2. Create an application policy to send managed applications to the device.
  3. Create a profile with an Extensible SSO payload configured with the following values
    1. Set App Extension Bundle Identifier to net.soti.mobicontrol.sso.
    2. Set SSO type to Redirect.
    3. Add https://identity.soti.net/sso/saml/auth/login as the URL Prefix.
    4. Enable Extension Data:
      • Define the application's bundle identifier to enable SSO on specific applications.
        Note: Not adding an application enables SSO for all the applications registered with SOTI Identity.
        • Use the AllowedApps_BundleID tag for the allowed applications ID.
        • Use the BlockedApps_BundleID tag for the blocked applications ID.
          Tip: Review the following as an example of a completed extension data configuration.
          <dict>
          <key>AllowedApps_BundleID</key> 
          <string>com.microsoft.skydrive,com.apple.mobilesafari,com.microsoft.azureauthenticator</string>
          </dict>
  4. Enroll and assign the application policy and Extensible SSO profile to the device.
  5. Open any of the configured native or web application and try to log in.
  6. Opening any native or web application does not require a password to be re-entered on log in.
Note: Application logout depends on the application's behavior.