Announced in 2022 at the Worldwide Developers Conference (WWDC), Platform Single Sign-On (SSO) is an SSO feature created by Apple for all its Mac devices. It leverages Apple’s SSO extension framework for secure, passwordless authentication using Touch ID or secure tokens.
Through Platform SSO, users benefit from passwordless authentication, enhanced security, and a consistent experience whether logging into their devices, enterprise applications, or web browsers.
Let’s break down all there is to know about Platform SSO: what it is, how it works, and its benefits.
What is Platform SSO?
Platform SSO is an advanced SSO feature developed by Apple. Available for macOS 13 and later, it replaces Active Directory binding. It allows users to use the local account credentials to synchronize with the organization’s IdP, making it so that they need to log in only once.
This means that after a user has logged in to their iPhone, iPad, or macOS device with their credentials or smart card, they automatically have access to all applications, websites, and services assigned to that user identity. This reduces password fatigue and removes the need for entering a password multiple times.
Platform SSO 2.0 (or Platform SSO V2, Version 2) is an updated version of Platform SSO that adds a new key service. According to Apple, it “enables an alternative registration flow and additional login configuration.” This means new capabilities to support features like password syncing and creating users at login windows.
Platform SSO integrates identity directly into the macOS login window. It is not limited to apps and websites but integrates a user’s cloud identity directly with their local user account. Once a user is registered, their local user password can either synchronize with the IdP user, or the framework can leverage a protected Secure Enclave-backed key as a form of phishing-resistant authentication.
How Platform SSO works?
Platform SSO binds the user’s local account and cloud-based IdP identity. This allows the user to automatically sign into business apps when they log in to their Mac device with their IdP login credentials.
To achieve this, Platform SSO registers the device with the Secure Enclave-backed key so that the IdP knows the endpoint. The device profile, configured through an MDM platform, includes the necessary system settings for integrating with the IdP and enabling seamless SSO.
What is SSOe?
Single Sign-On Extension (SSOe), also referred to as Extensible SSO, is Platform SSO’s predecessor. It required users to sign in twice: once to unlock the device and once to use the SSO extension. Platform SSO further improved upon it by directly tying the local account to the single sign-on application, removing the need for multiple logins.
Features of Platform SSO
Platform SSO supports the following features:
- Activate and enforce Platform SSO during Automated Device Enrolment to authenticate the enrolment, sign in with a Managed Apple Account, and create a local user.
- Cater a SSO experience for native and web apps.
- Provide information about Platform SSO in System Settings.
- Synchronise passwords of local user accounts with the IdP and define login policies.
- Define group permissions of IdP accounts and allow people to use network-only IdP accounts at authorization prompts.
- Create local user accounts on demand when logging in with credentials from an IdP account.
- Support guest users who log in temporarily with their IdP credentials on shared Mac computers.
Benefits of Platform SSO
Enabling SSO for user authentication simplifies multiple aspects of device access management, identity management, user management, and security programs. It reduces IT workload and provides efficient workflows. A few of the benefits are:
1. Streamlined user authentication
Users log in just once and have access to the resources they need.
2. Compatibility with MFA
Along with Platform SSO, Face ID or Touch ID, a hardware key, or even push notifications for some apps can be implemented.
3. Superior user experience
With password sync, users only have to remember one password, and don’t have to re-enter it constantly.
4. Fewer IT tickets
Platform SSO enforces the password policy, and passwords remain in sync. This means less IT team overhead.
5. Improved access management
Platform SSO simplifies user access control by centralizing the identity management process, allowing secure access to Apple Mac devices with less effort.
6. Enhanced security
By allowing users to access multiple accounts through one set of credentials, it reduces password fatigue. Users can select strong, secure passwords without having to remember multiple passwords that become prone to leaks.
7. Better compliance
Platform SSO makes it easier to enforce uniform access policies and track authentication attempts. It simplifies maintaining regulatory compliance and makes it easy to meet standards like GDPR, HIPAA, or SOX.
Why Platform SSO is important for Apple device management
Platform SSO provides an Apple-native SSO experience to bolster the security posture of organizations heavily utilizing Apple’s Mac ecosystem. It also makes implementing enhanced SSO through an MDM solution much easier by bridging the gap between identity and Active Directory.
Scalefusion seamlessly supports Platform SSO to provide your organization with the flexibility and security to enhance your macOS fleet. It simplifies Mac device management by allowing IT admins to manage, secure and enforce SSO to devices, websites, and applications, all from a centralized platform.
Utilize Platform SSO for better security and efficiency for macOS devices with Scalefusion.
Sign up for a 14-day free trial now.
