I am currently working on testing and implementation of Apple's built-in Kerberos SSO extension in my organization. We have successfully tested our extension deployment with username/password authentication on iOS devices. However, we are in a certificate-authentication-only environment and we are attempting to set up the profile to use pkcs12 certs instead of the username and password. Unfortunately I am have issues with the extension seeing the cert. The error I receive is "Kerberos login error" Certificate not found.
I'm not sure if the MDM server is generating the profile plist correctly for the extension. For VPN the cert payload is added into the same PayloadContent as the VPN payload but I don't see anything in the documentation that says where that payload should live for the SSO extention profile.
Does the certificate payload need to be embedded into the same PayloadContent as the sso extension payload, or can it be in its own profile pushed by an MDM and still be referenced via certificateUUID?
Below are 2 pseudo-code examples.
SSO Profile without Cert Payload, and referencing a cert elsewhere:
Profile with the certificate payload embedded:
Documentation reference:
https://developer.apple.com/documentation/devicemanagement/extensiblesinglesignonkerberos
I'm not sure if the MDM server is generating the profile plist correctly for the extension. For VPN the cert payload is added into the same PayloadContent as the VPN payload but I don't see anything in the documentation that says where that payload should live for the SSO extention profile.
Does the certificate payload need to be embedded into the same PayloadContent as the sso extension payload, or can it be in its own profile pushed by an MDM and still be referenced via certificateUUID?
Below are 2 pseudo-code examples.
SSO Profile without Cert Payload, and referencing a cert elsewhere:
Code Block <xml> <plist> <dict> <key>PayloadUUID</key> <string>some-uuid-value</string> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>ExtensionIdentifier</key> <string>com.apple.AppSSOKerberos.KerberosExtension</string> <key>Type</key> <string>Credential</string> <key>ExtensionData</key> <dict> <key>certificateUUID</key> <string>Cert-payload-UUID</string> </dict> <key>Realm</key> <string>MY-TEST-REALM.COM</string> <key>Hosts</key> <array> <string>example.com</string> </array> </dict> </array> </dict> </plist>
Profile with the certificate payload embedded:
Code Block <xml> <plist> <dict> <key>PayloadUUID</key> <string>some-uuid-value</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <key>PayloadScope</key> <string>System</string> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>ExtensionIdentifier</key> <string>com.apple.AppSSOKerberos.KerberosExtension</string> <key>Type</key> <string>Credential</string> <key>ExtensionData</key> <dict> <key>certificateUUID</key> <string>Cert-payload-UUID</string> </dict> <key>Realm</key> <string>MY-TEST-REALM.COM</string> <key>Hosts</key> <array> <string>example.com</string> </array> </dict> <dict> <key>PayloadUUID</key> <string>Cert-payload-UUID</string> <key>PayloadType</key> <string>com.apple.security.pkscs12</string> <data> CERT DATA </data> </dict> </array> </dict> </plist>
Documentation reference:
https://developer.apple.com/documentation/devicemanagement/extensiblesinglesignonkerberos
