Kerberos Extensible Single Sign-On (SSO) | iOS/ Shared iPad User

About this task

Kerberos Extensible Single Sign-On (SSO) enables users to authenticate once and access resources without having to re-enter their credentials. Kerberos Extensible SSO authentication features include mutual authentication, ticket-based authentication, and encryption of authentication messages. These features help to prevent security threats and protect from credential theft and other vulnerabilities.
Important: iOS devices must be running iOS 13.0 or later. This feature is incompatible with Shared iPads

Procedure

  1. Create/ edit a Reactive iOS/ Shared iPad User profile and add the Kerberos Extensible SSO configuration from the Security & Restrictions configurations list.
    Note: Shared iPad Users select the Kerberos Extensible Single Sign On configuration instead.
    Selecting the Kerberos SSO profile configuration in a Reactive iOS profile.
  2. Enter the IP address or hostname of the domain/ administrative network partition that shares a common security policy and authentication database in the Realm field.
  3. Select (Add) in the Add Host Names section to identify the host or domain names which the app extension can authenticate through.
  4. Enter the Principal Name without including the realm in the Principal Name field.
  5. Enter the URL of the Active Directory site used by the Kerberos extension in the Site Code field.
  6. Select the Public Key Cryptography for Initial Authentication (PKINIT) certificate for renewing the Kerberos credential from the Certificate list.
  7. Turn on Allow Automatic Login to enable automatic logins.
    Note: When disabled, passwords cannot save to the key-chain.
  8. Turn on Is Default Realm to set the specified realm as the default when configuring more than one Kerberos extensions.
  9. Turn on Require User Presence to ensure the user gives Touch ID, Face ID, or their passcode to access a key-chain entry.
  10. Turn on Use Site Auto-Discovery to enable the Kerberos extension to use Lightweight Directory Access Protocol (LDAP) and Domain Name Services (DNS) to determine its AD site name.
  11. Select (Add) in the Add Preferred KDCs section to identify each Key Distribution Center (KDC) to handle Kerberos traffic.
    Note: The list order is by preference.
  12. In the Add Credential Bundle ID ACL section, identify each bundled ID allowed to access the Ticket Granting Ticket (TGT) by selecting (Add).
    Tip: You can add more than one bundle IDs by importing a CSV. Select (Import) to locate and import your CSV file. Each line of the CSV file must be in the format Application Bundle Identifier, Application Name. Validate that all applications are present. Missing applications may indicate a problem with your CSV file.
  13. Save the configuration and assign the profile to your target devices.

Results

You have successfully configured a Kerberos Extensible SSO profile for your devices. The profile is now visible in the Profiles view.